← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1808112] [NEW] rule:shared is not respected in port/subnet create

 

Public bug reported:

In neutron policy.json there are rules like:

    "create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
    "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
    "create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared"

but when I'm trying to create port with given subnet_id (but without
ip_address) as regular user, I can't do that because policy.json forbid
me that. I got an error like:

[09:53:12] vagrant@devstack-ubuntu-ovs ~ $ openstack port create public_port --network public --fixed-ip subnet=1fc0a48d-f182-4bb0-b5d0-2dac8d1c6929
HttpException: 403: Client Error for url: http://10.0.0.10:9696/v2.0/ports, (rule:create_port and rule:create_port:fixed_ips) is disallowed by policy

Even if I changed first of those rules to be like:

    "create_port:fixed_ips": "rule:context_is_advsvc or
rule:admin_or_network_owner or rule:shared",

it is still failing and I think that it's because rule:shared is related
to network but during this POST call, target enforced by policy is port
and port resource don't have shared field at all.

** Affects: neutron
     Importance: Medium
         Status: New


** Tags: api

** Tags added: api

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1808112

Title:
  rule:shared is not respected in port/subnet create

Status in neutron:
  New

Bug description:
  In neutron policy.json there are rules like:

      "create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
      "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
      "create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared"

  but when I'm trying to create port with given subnet_id (but without
  ip_address) as regular user, I can't do that because policy.json
  forbid me that. I got an error like:

  [09:53:12] vagrant@devstack-ubuntu-ovs ~ $ openstack port create public_port --network public --fixed-ip subnet=1fc0a48d-f182-4bb0-b5d0-2dac8d1c6929
  HttpException: 403: Client Error for url: http://10.0.0.10:9696/v2.0/ports, (rule:create_port and rule:create_port:fixed_ips) is disallowed by policy

  Even if I changed first of those rules to be like:

      "create_port:fixed_ips": "rule:context_is_advsvc or
  rule:admin_or_network_owner or rule:shared",

  it is still failing and I think that it's because rule:shared is
  related to network but during this POST call, target enforced by
  policy is port and port resource don't have shared field at all.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1808112/+subscriptions


Follow ups