yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1796854] [NEW] Neutron doesn't respect advscv role while creating port

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Maciej Jozefczyk <1796854@xxxxxxxxxxxxxxxxxx>
Date: Tue, 09 Oct 2018 10:24:13 -0000
Reply-to: Bug 1796854 <1796854@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

Neutron doesn't allow user with role 'advsvc' to add port in other user tenant network.
Introduced change:
https://review.openstack.org/#/c/101281/10
Should allow that, but in fact in neutron-lib there is no validation for advsvc role:
https://github.com/openstack/neutron-lib/blob/master/neutron_lib/api/attributes.py#L28

Error:
Specifying 'project_id' or 'tenant_id' other than the authenticated project in request requires admin privileges


----------------
Version
----------------
Devstack master.


----------------
How to reproduce
----------------

1. Setup devstack master, add new project and user to this project with role advsvc
source devstack/openrc admin demo

openstack project create advsvc-project
openstack user create --project advsvc-project --password test advsvc-project-user
openstack role create advsvc
openstack role add --user advsvc-project-user --project advsvc-project advsvc
openstack role add --user advsvc-project-user --project advsvc-project member


2. Create network in other project.
openstack project create test-project
openstack user create --project test-project --password test test-project-user
openstack role add --user test-project-user --project test-project member

neutron net-create private-net-test-user --provider:network_type=vxlan
--provider:segmentation_id=1234 --project-id [[ test-project-id ]]

neutron subnet-create private-net-test-user --name private-subnet-test-
user --allocation-pool start=10.13.12.100,end=10.13.12.130 10.13.12.0/24
--dns-nameserver 8.8.8.8 --project-id [[ test-project-id ]]

3. Create a port in test-project tenant by user with advsvc role:

stack@mjozefcz-devstack:~$ neutron port-create --tenant-id 865073224f7b4e9d9fdd4a446e3a4af4 private-net-test-user
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
Specifying 'project_id' or 'tenant_id' other than the authenticated project in request requires admin privileges
Neutron server returns request_ids: ['req-e841edb1-2cf2-47b6-a493-11a56114a323']

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1796854

Title:
  Neutron doesn't respect advscv role while creating port

Status in neutron:
  New

Bug description:
  Neutron doesn't allow user with role 'advsvc' to add port in other user tenant network.
  Introduced change:
  https://review.openstack.org/#/c/101281/10
  Should allow that, but in fact in neutron-lib there is no validation for advsvc role:
  https://github.com/openstack/neutron-lib/blob/master/neutron_lib/api/attributes.py#L28

  Error:
  Specifying 'project_id' or 'tenant_id' other than the authenticated project in request requires admin privileges


  ----------------
  Version
  ----------------
  Devstack master.

  
  ----------------
  How to reproduce
  ----------------

  1. Setup devstack master, add new project and user to this project with role advsvc
  source devstack/openrc admin demo

  openstack project create advsvc-project
  openstack user create --project advsvc-project --password test advsvc-project-user
  openstack role create advsvc
  openstack role add --user advsvc-project-user --project advsvc-project advsvc
  openstack role add --user advsvc-project-user --project advsvc-project member

  
  2. Create network in other project.
  openstack project create test-project
  openstack user create --project test-project --password test test-project-user
  openstack role add --user test-project-user --project test-project member

  neutron net-create private-net-test-user --provider:network_type=vxlan
  --provider:segmentation_id=1234 --project-id [[ test-project-id ]]

  neutron subnet-create private-net-test-user --name private-subnet-
  test-user --allocation-pool start=10.13.12.100,end=10.13.12.130
  10.13.12.0/24 --dns-nameserver 8.8.8.8 --project-id [[ test-project-id
  ]]

  3. Create a port in test-project tenant by user with advsvc role:

  stack@mjozefcz-devstack:~$ neutron port-create --tenant-id 865073224f7b4e9d9fdd4a446e3a4af4 private-net-test-user
  neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
  Specifying 'project_id' or 'tenant_id' other than the authenticated project in request requires admin privileges
  Neutron server returns request_ids: ['req-e841edb1-2cf2-47b6-a493-11a56114a323']

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1796854/+subscriptions
Follow ups

[Bug 1796854] Re: Neutron doesn't respect advscv role while creating port
From: OpenStack Infra, 2018-10-22