yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #75616
[Bug 1801779] [NEW] Policy rule rule:create_port:fixed_ips:subnet_id doesn't allow non-admin to create port on specific subnet
Public bug reported:
Running roughly master branch. According to pip,
neutron==13.0.0.0rc2.dev324. I know that isn't super helpful from a dev
perspective, but this is a kolla image and I don't have a great way to
map this back to a SHA.
Trying to create a port on a specific subnet on a shared network. I have
the following policy rules, which seem to imply I should be able to do
this:
"create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
"create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
"create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
Client logs here:
https://gist.github.com/jimrollenhagen/82514bee47ad66e1e878c56d8fd66453
Not much showing up in neutron-server.log, but can provide more info if
needed.
** Affects: neutron
Importance: Undecided
Status: New
** Description changed:
+ Running roughly master branch. According to pip,
+ neutron==13.0.0.0rc2.dev324. I know that isn't super helpful from a dev
+ perspective, but this is a kolla image and I don't have a great way to
+ map this back to a SHA.
+
Trying to create a port on a specific subnet on a shared network. I have
the following policy rules, which seem to imply I should be able to do
this:
- "create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
- "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
- "create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
+ "create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
+ "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
+ "create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
Client logs here:
https://gist.github.com/jimrollenhagen/82514bee47ad66e1e878c56d8fd66453
Not much showing up in neutron-server.log, but can provide more info if
needed.
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1801779
Title:
Policy rule rule:create_port:fixed_ips:subnet_id doesn't allow non-
admin to create port on specific subnet
Status in neutron:
New
Bug description:
Running roughly master branch. According to pip,
neutron==13.0.0.0rc2.dev324. I know that isn't super helpful from a
dev perspective, but this is a kolla image and I don't have a great
way to map this back to a SHA.
Trying to create a port on a specific subnet on a shared network. I
have the following policy rules, which seem to imply I should be able
to do this:
"create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
"create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
"create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
Client logs here:
https://gist.github.com/jimrollenhagen/82514bee47ad66e1e878c56d8fd66453
Not much showing up in neutron-server.log, but can provide more info
if needed.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1801779/+subscriptions
Follow ups
