yahoo-eng-team team mailing list archive

[OpenStack Infra <1796854@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.openstack.org/609633
Committed: https://git.openstack.org/cgit/openstack/neutron-lib/commit/?id=00147a7d700e6d0142161152137bbab0c39ce4c0
Submitter: Zuul
Branch:    master

commit 00147a7d700e6d0142161152137bbab0c39ce4c0
Author: Maciej Józefczyk <maciej.jozefczyk@xxxxxxxxxxxx>
Date:   Thu Oct 11 08:57:29 2018 +0000

    Allow advsvc role to create port in foreign tenant
    
    Change [1] introduced support for advsvc role. This added
    possibility for user with role advsvc to make CRUD operations
    on ports, subnets and networks in foreign tenants.
    Due the check in _validate_privileges() it was not working.
    This patch fixes that.
    
    Closes-Bug: #1796854
    
    [1] https://review.openstack.org/#/c/101281
    
    Change-Id: I6a3f91337bf8dd32012a75916e3409e30f46b50d


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1796854

Title:
  Neutron doesn't respect advscv role while creating port

Status in neutron:
  Fix Released

Bug description:
  Neutron doesn't allow user with role 'advsvc' to add port in other user tenant network.
  Introduced change:
  https://review.openstack.org/#/c/101281/10
  Should allow that, but in fact in neutron-lib there is no validation for advsvc role:
  https://github.com/openstack/neutron-lib/blob/master/neutron_lib/api/attributes.py#L28

  Error:
  Specifying 'project_id' or 'tenant_id' other than the authenticated project in request requires admin privileges


  ----------------
  Version
  ----------------
  Devstack master.

  
  ----------------
  How to reproduce
  ----------------

  1. Setup devstack master, add new project and user to this project with role advsvc
  source devstack/openrc admin demo

  openstack project create advsvc-project
  openstack user create --project advsvc-project --password test advsvc-project-user
  openstack role create advsvc
  openstack role add --user advsvc-project-user --project advsvc-project advsvc
  openstack role add --user advsvc-project-user --project advsvc-project member

  
  2. Create network in other project.
  openstack project create test-project
  openstack user create --project test-project --password test test-project-user
  openstack role add --user test-project-user --project test-project member

  neutron net-create private-net-test-user --provider:network_type=vxlan
  --provider:segmentation_id=1234 --project-id [[ test-project-id ]]

  neutron subnet-create private-net-test-user --name private-subnet-
  test-user --allocation-pool start=10.13.12.100,end=10.13.12.130
  10.13.12.0/24 --dns-nameserver 8.8.8.8 --project-id [[ test-project-id
  ]]

  3. Create a port in test-project tenant by user with advsvc role:

  stack@mjozefcz-devstack:~$ neutron port-create --tenant-id 865073224f7b4e9d9fdd4a446e3a4af4 private-net-test-user
  neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
  Specifying 'project_id' or 'tenant_id' other than the authenticated project in request requires admin privileges
  Neutron server returns request_ids: ['req-e841edb1-2cf2-47b6-a493-11a56114a323']

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1796854/+subscriptions