yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #78964
[Bug 1833455] [NEW] [RBAC] User is not allowed to create port with fixed IP on shared network via RBAC
Public bug reported:
1. Create tenant1 with user1 and tenant2 with user 2, assign testrole
to both
2, Change the default policy.json to allow creation of ports with fixed
IP address in a shared network:
()[root@controller-2 /]# diff /etc/neutron/policy.json /etc/neutron/policy.json.bkp
78c78
< "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
---
> "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
3. As user1 create a network and share it via RBAC to tenant2:
user1 (overcloud) [stack@undercloud-0 ~]$ openstack network create rbacnet1
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | UP |
| availability_zone_hints | |
| availability_zones | |
| created_at | 2019-06-19T18:01:01Z |
| description | |
| dns_domain | None |
| id | 8961329b-08a2-4c7c-88cf-b5cca43ca678 |
| ipv4_address_scope | None |
| ipv6_address_scope | None |
| is_default | False |
| is_vlan_transparent | None |
| mtu | 1450 |
| name | rbacnet1 |
| port_security_enabled | True |
| project_id | 4ff7e3db6d64429db1b39f993bb99411 |
| provider:network_type | None |
| provider:physical_network | None |
| provider:segmentation_id | None |
| qos_policy_id | None |
| revision_number | 2 |
| router:external | Internal |
| segments | None |
| shared | False |
| status | ACTIVE |
| subnets | |
| tags | |
| updated_at | 2019-06-19T18:01:02Z |
+---------------------------+--------------------------------------+
user1 (overcloud) [stack@undercloud-0 ~]$ openstack network list
+--------------------------------------+----------+--------------------------------------+
| ID | Name | Subnets |
+--------------------------------------+----------+--------------------------------------+
| 8961329b-08a2-4c7c-88cf-b5cca43ca678 | rbacnet1 | |
| d6540930-acb2-48f9-8451-da3c5c7622aa | public | 2b59541a-8e12-499f-88d6-7c79c56fcfe9 |
+--------------------------------------+----------+--------------------------------------+
user1 (overcloud) [stack@undercloud-0 ~]$ openstack network rbac create --type network --action access_as_shared --target-project ba08ccc271614bf1add0902f73690bac rbacnet1
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| action | access_as_shared |
| id | e377033b-f374-4fd5-8015-9a7426681d7e |
| name | None |
| object_id | 8961329b-08a2-4c7c-88cf-b5cca43ca678 |
| object_type | network |
| project_id | 4ff7e3db6d64429db1b39f993bb99411 |
| target_project_id | ba08ccc271614bf1add0902f73690bac |
+-------------------+--------------------------------------+
user1 (overcloud) [stack@undercloud-0 ~]$ openstack subnet create --network rbacnet1 --subnet-range 10.0.100.0/24 --dhcp rbacsubnet1
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| allocation_pools | 10.0.100.2-10.0.100.254 |
| cidr | 10.0.100.0/24 |
| created_at | 2019-06-19T18:10:50Z |
| description | |
| dns_nameservers | |
| enable_dhcp | True |
| gateway_ip | 10.0.100.1 |
| host_routes | |
| id | c00f565b-e4eb-4bf5-852c-8a22b95911fa |
| ip_version | 4 |
| ipv6_address_mode | None |
| ipv6_ra_mode | None |
| name | rbacsubnet1 |
| network_id | 8961329b-08a2-4c7c-88cf-b5cca43ca678 |
| project_id | 4ff7e3db6d64429db1b39f993bb99411 |
| revision_number | 0 |
| segment_id | None |
| service_types | |
| subnetpool_id | None |
| tags | |
| updated_at | 2019-06-19T18:10:50Z |
+-------------------+--------------------------------------+
4. As user2 try to create a port with a fixed IP
user2 (overcloud) [stack@undercloud-0 ~]$ . user2_rc
user2 (overcloud) [stack@undercloud-0 ~]$ openstack network list
+--------------------------------------+----------+--------------------------------------+
| ID | Name | Subnets |
+--------------------------------------+----------+--------------------------------------+
| 8961329b-08a2-4c7c-88cf-b5cca43ca678 | rbacnet1 | c00f565b-e4eb-4bf5-852c-8a22b95911fa |
| d6540930-acb2-48f9-8451-da3c5c7622aa | public | 2b59541a-8e12-499f-88d6-7c79c56fcfe9 |
+--------------------------------------+----------+--------------------------------------+
user2 (overcloud) [stack@undercloud-0 ~]$ openstack network show rbacnet1 | grep shared
| shared | True |
user2 (overcloud) [stack@undercloud-0 ~]$ openstack port create portx10 --network rbacnet1 --fixed-ip subnet=rbacsubnet1,ip-address=10.0.100.123
HttpException: 403: Client Error for url: http://10.0.0.112:9696/v2.0/ports, {"NeutronError": {"message": "(rule:create_port and rule:create_port:fixed_ips) is disallowed by policy", "type": "PolicyNotAuthorized", "detail": ""}}
5. Creating the port without fixed IP works fine
user2 (overcloud) [stack@undercloud-0 ~]$ openstack port create portx11 --network rbacnet1
+-----------------------+----------------------------------------------------------------------------+
| Field | Value |
+-----------------------+----------------------------------------------------------------------------+
| admin_state_up | UP |
| allowed_address_pairs | |
| binding_host_id | None |
| binding_profile | None |
| binding_vif_details | None |
| binding_vif_type | None |
| binding_vnic_type | normal |
| created_at | 2019-06-19T18:28:49Z |
| data_plane_status | None |
| description | |
| device_id | |
| device_owner | |
| dns_assignment | None |
| dns_domain | None |
| dns_name | None |
| extra_dhcp_opts | |
| fixed_ips | ip_address='10.0.100.15', subnet_id='c00f565b-e4eb-4bf5-852c-8a22b95911fa' |
| id | 7fe12e20-0e2c-4801-9742-da2eeef63f43 |
| mac_address | fa:16:3e:99:6e:6b |
| name | portx11 |
| network_id | 8961329b-08a2-4c7c-88cf-b5cca43ca678 |
| port_security_enabled | True |
| project_id | ba08ccc271614bf1add0902f73690bac |
| qos_policy_id | None |
| revision_number | 2 |
| security_group_ids | 063f4f88-24f8-442d-b1b4-d0f9e5bc4f9b |
| status | DOWN |
| tags | |
| trunk_details | None |
| updated_at | 2019-06-19T18:28:49Z |
+-----------------------+----------------------------------------------------------------------------+
Expected result is that the port with fixed IP should be created following the policy.
Even though rule:shared should be honored, the policy is intepreted within an admin context where the network looks like shared = False.
Description is similar to an older bug:
- https://bugs.launchpad.net/neutron/+bug/1543756
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1833455
Title:
[RBAC] User is not allowed to create port with fixed IP on shared
network via RBAC
Status in neutron:
New
Bug description:
1. Create tenant1 with user1 and tenant2 with user 2, assign testrole
to both
2, Change the default policy.json to allow creation of ports with
fixed IP address in a shared network:
()[root@controller-2 /]# diff /etc/neutron/policy.json /etc/neutron/policy.json.bkp
78c78
< "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
---
> "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
3. As user1 create a network and share it via RBAC to tenant2:
user1 (overcloud) [stack@undercloud-0 ~]$ openstack network create rbacnet1
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | UP |
| availability_zone_hints | |
| availability_zones | |
| created_at | 2019-06-19T18:01:01Z |
| description | |
| dns_domain | None |
| id | 8961329b-08a2-4c7c-88cf-b5cca43ca678 |
| ipv4_address_scope | None |
| ipv6_address_scope | None |
| is_default | False |
| is_vlan_transparent | None |
| mtu | 1450 |
| name | rbacnet1 |
| port_security_enabled | True |
| project_id | 4ff7e3db6d64429db1b39f993bb99411 |
| provider:network_type | None |
| provider:physical_network | None |
| provider:segmentation_id | None |
| qos_policy_id | None |
| revision_number | 2 |
| router:external | Internal |
| segments | None |
| shared | False |
| status | ACTIVE |
| subnets | |
| tags | |
| updated_at | 2019-06-19T18:01:02Z |
+---------------------------+--------------------------------------+
user1 (overcloud) [stack@undercloud-0 ~]$ openstack network list
+--------------------------------------+----------+--------------------------------------+
| ID | Name | Subnets |
+--------------------------------------+----------+--------------------------------------+
| 8961329b-08a2-4c7c-88cf-b5cca43ca678 | rbacnet1 | |
| d6540930-acb2-48f9-8451-da3c5c7622aa | public | 2b59541a-8e12-499f-88d6-7c79c56fcfe9 |
+--------------------------------------+----------+--------------------------------------+
user1 (overcloud) [stack@undercloud-0 ~]$ openstack network rbac create --type network --action access_as_shared --target-project ba08ccc271614bf1add0902f73690bac rbacnet1
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| action | access_as_shared |
| id | e377033b-f374-4fd5-8015-9a7426681d7e |
| name | None |
| object_id | 8961329b-08a2-4c7c-88cf-b5cca43ca678 |
| object_type | network |
| project_id | 4ff7e3db6d64429db1b39f993bb99411 |
| target_project_id | ba08ccc271614bf1add0902f73690bac |
+-------------------+--------------------------------------+
user1 (overcloud) [stack@undercloud-0 ~]$ openstack subnet create --network rbacnet1 --subnet-range 10.0.100.0/24 --dhcp rbacsubnet1
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| allocation_pools | 10.0.100.2-10.0.100.254 |
| cidr | 10.0.100.0/24 |
| created_at | 2019-06-19T18:10:50Z |
| description | |
| dns_nameservers | |
| enable_dhcp | True |
| gateway_ip | 10.0.100.1 |
| host_routes | |
| id | c00f565b-e4eb-4bf5-852c-8a22b95911fa |
| ip_version | 4 |
| ipv6_address_mode | None |
| ipv6_ra_mode | None |
| name | rbacsubnet1 |
| network_id | 8961329b-08a2-4c7c-88cf-b5cca43ca678 |
| project_id | 4ff7e3db6d64429db1b39f993bb99411 |
| revision_number | 0 |
| segment_id | None |
| service_types | |
| subnetpool_id | None |
| tags | |
| updated_at | 2019-06-19T18:10:50Z |
+-------------------+--------------------------------------+
4. As user2 try to create a port with a fixed IP
user2 (overcloud) [stack@undercloud-0 ~]$ . user2_rc
user2 (overcloud) [stack@undercloud-0 ~]$ openstack network list
+--------------------------------------+----------+--------------------------------------+
| ID | Name | Subnets |
+--------------------------------------+----------+--------------------------------------+
| 8961329b-08a2-4c7c-88cf-b5cca43ca678 | rbacnet1 | c00f565b-e4eb-4bf5-852c-8a22b95911fa |
| d6540930-acb2-48f9-8451-da3c5c7622aa | public | 2b59541a-8e12-499f-88d6-7c79c56fcfe9 |
+--------------------------------------+----------+--------------------------------------+
user2 (overcloud) [stack@undercloud-0 ~]$ openstack network show rbacnet1 | grep shared
| shared | True |
user2 (overcloud) [stack@undercloud-0 ~]$ openstack port create portx10 --network rbacnet1 --fixed-ip subnet=rbacsubnet1,ip-address=10.0.100.123
HttpException: 403: Client Error for url: http://10.0.0.112:9696/v2.0/ports, {"NeutronError": {"message": "(rule:create_port and rule:create_port:fixed_ips) is disallowed by policy", "type": "PolicyNotAuthorized", "detail": ""}}
5. Creating the port without fixed IP works fine
user2 (overcloud) [stack@undercloud-0 ~]$ openstack port create portx11 --network rbacnet1
+-----------------------+----------------------------------------------------------------------------+
| Field | Value |
+-----------------------+----------------------------------------------------------------------------+
| admin_state_up | UP |
| allowed_address_pairs | |
| binding_host_id | None |
| binding_profile | None |
| binding_vif_details | None |
| binding_vif_type | None |
| binding_vnic_type | normal |
| created_at | 2019-06-19T18:28:49Z |
| data_plane_status | None |
| description | |
| device_id | |
| device_owner | |
| dns_assignment | None |
| dns_domain | None |
| dns_name | None |
| extra_dhcp_opts | |
| fixed_ips | ip_address='10.0.100.15', subnet_id='c00f565b-e4eb-4bf5-852c-8a22b95911fa' |
| id | 7fe12e20-0e2c-4801-9742-da2eeef63f43 |
| mac_address | fa:16:3e:99:6e:6b |
| name | portx11 |
| network_id | 8961329b-08a2-4c7c-88cf-b5cca43ca678 |
| port_security_enabled | True |
| project_id | ba08ccc271614bf1add0902f73690bac |
| qos_policy_id | None |
| revision_number | 2 |
| security_group_ids | 063f4f88-24f8-442d-b1b4-d0f9e5bc4f9b |
| status | DOWN |
| tags | |
| trunk_details | None |
| updated_at | 2019-06-19T18:28:49Z |
+-----------------------+----------------------------------------------------------------------------+
Expected result is that the port with fixed IP should be created following the policy.
Even though rule:shared should be honored, the policy is intepreted within an admin context where the network looks like shared = False.
Description is similar to an older bug:
- https://bugs.launchpad.net/neutron/+bug/1543756
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1833455/+subscriptions
Follow ups
