yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #77933
[Bug 1824107] [NEW] RBAC: regression of port create/update by shared nw owners
Public bug reported:
Related to https://bugs.launchpad.net/neutron/+bug/1543756.
This fix was released in queens, but the following feature
(https://review.openstack.org/#/c/577471/) re-introduced the bug on
stable/rocky.
With non-admin user, ports creation/update with subnet ID on a shared
network does not work anymore.
ex:
## Network RBAC
$ openstack network rbac show f3605376-2fbb-4bfe-b412-b053870c6d56
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| action | access_as_shared |
| id | f3605376-2fbb-4bfe-b412-b053870c6d56 |
| name | None |
| object_id | 07386598-add7-4246-90a4-0294e85446fa |
| object_type | network |
| project_id | 0631a4dbf7c949f1878c4f4a6dbf1d32 |
| target_project_id | * |
+-------------------+--------------------------------------+
## Test port creation
$ openstack port create --network mynet --fixed-ip subnet=mysubnet testport
HttpException: 403: Client Error for url: http://openstack.example.org/v2.0/ports, {"NeutronError": {"message": "(rule:create_port and rule:create_port:fixed_ips) is disallowed by policy", "type": "PolicyNotAuthorized", "detail": ""}}
Removing the line '"create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",' from policy.json, everything works well. (same for 'update_port:fixed_ip' rule) fixes the rbac issues.
It seems the bug is also on stein (I did not test, I presume): https://github.com/openstack/neutron/blob/master/neutron/conf/policies/port.py#L69 since policies has been included on code.
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1824107
Title:
RBAC: regression of port create/update by shared nw owners
Status in neutron:
New
Bug description:
Related to https://bugs.launchpad.net/neutron/+bug/1543756.
This fix was released in queens, but the following feature
(https://review.openstack.org/#/c/577471/) re-introduced the bug on
stable/rocky.
With non-admin user, ports creation/update with subnet ID on a shared
network does not work anymore.
ex:
## Network RBAC
$ openstack network rbac show f3605376-2fbb-4bfe-b412-b053870c6d56
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| action | access_as_shared |
| id | f3605376-2fbb-4bfe-b412-b053870c6d56 |
| name | None |
| object_id | 07386598-add7-4246-90a4-0294e85446fa |
| object_type | network |
| project_id | 0631a4dbf7c949f1878c4f4a6dbf1d32 |
| target_project_id | * |
+-------------------+--------------------------------------+
## Test port creation
$ openstack port create --network mynet --fixed-ip subnet=mysubnet testport
HttpException: 403: Client Error for url: http://openstack.example.org/v2.0/ports, {"NeutronError": {"message": "(rule:create_port and rule:create_port:fixed_ips) is disallowed by policy", "type": "PolicyNotAuthorized", "detail": ""}}
Removing the line '"create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",' from policy.json, everything works well. (same for 'update_port:fixed_ip' rule) fixes the rbac issues.
It seems the bug is also on stein (I did not test, I presume): https://github.com/openstack/neutron/blob/master/neutron/conf/policies/port.py#L69 since policies has been included on code.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1824107/+subscriptions
