yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #79078
[Bug 1833455] Re: [RBAC] User is not allowed to create port with fixed IP on shared network via RBAC
Reviewed: https://review.opendev.org/666816
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=d5edb080b080bc5d5221f8586fc6ffdca7ab8b67
Submitter: Zuul
Branch: master
commit d5edb080b080bc5d5221f8586fc6ffdca7ab8b67
Author: Slawek Kaplonski <skaplons@xxxxxxxxxx>
Date: Fri Jun 21 13:09:05 2019 +0200
Treat networks shared by RBAC in same way as shared with all tenants
In patch [1] handle of networks with "shared" flag set to True was
fixed and it is now possible to use "rule:shared" in API policy in
actions related e.g. to ports or subnets.
But network can be shared with some specific tenant only by doing it
with RBAC mechanism and in such case it didn't work with [1] only.
It was like that because context.get_admin_context() was used to get
network so this returned network had got shared=False set even if
request comes from tenant for which network was shared through RBAC.
Now network will be always get with context which have got set proper
tenant_id so "shared" flag will be set properly even in case if it's
shared through RBAC.
[1] https://review.opendev.org/#/c/652636/
Change-Id: I38615c0d18bb5a1f22f3e7865ce24615a540aa9a
Closes-Bug: #1833455
** Changed in: neutron
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1833455
Title:
[RBAC] User is not allowed to create port with fixed IP on shared
network via RBAC
Status in neutron:
Fix Released
Bug description:
1. Create tenant1 with user1 and tenant2 with user 2, assign testrole
to both
2, Change the default policy.json to allow creation of ports with
fixed IP address in a shared network:
()[root@controller-2 /]# diff /etc/neutron/policy.json /etc/neutron/policy.json.bkp
78c78
< "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
---
> "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
3. As user1 create a network and share it via RBAC to tenant2:
user1 (overcloud) [stack@undercloud-0 ~]$ openstack network create rbacnet1
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | UP |
| availability_zone_hints | |
| availability_zones | |
| created_at | 2019-06-19T18:01:01Z |
| description | |
| dns_domain | None |
| id | 8961329b-08a2-4c7c-88cf-b5cca43ca678 |
| ipv4_address_scope | None |
| ipv6_address_scope | None |
| is_default | False |
| is_vlan_transparent | None |
| mtu | 1450 |
| name | rbacnet1 |
| port_security_enabled | True |
| project_id | 4ff7e3db6d64429db1b39f993bb99411 |
| provider:network_type | None |
| provider:physical_network | None |
| provider:segmentation_id | None |
| qos_policy_id | None |
| revision_number | 2 |
| router:external | Internal |
| segments | None |
| shared | False |
| status | ACTIVE |
| subnets | |
| tags | |
| updated_at | 2019-06-19T18:01:02Z |
+---------------------------+--------------------------------------+
user1 (overcloud) [stack@undercloud-0 ~]$ openstack network list
+--------------------------------------+----------+--------------------------------------+
| ID | Name | Subnets |
+--------------------------------------+----------+--------------------------------------+
| 8961329b-08a2-4c7c-88cf-b5cca43ca678 | rbacnet1 | |
| d6540930-acb2-48f9-8451-da3c5c7622aa | public | 2b59541a-8e12-499f-88d6-7c79c56fcfe9 |
+--------------------------------------+----------+--------------------------------------+
user1 (overcloud) [stack@undercloud-0 ~]$ openstack network rbac create --type network --action access_as_shared --target-project ba08ccc271614bf1add0902f73690bac rbacnet1
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| action | access_as_shared |
| id | e377033b-f374-4fd5-8015-9a7426681d7e |
| name | None |
| object_id | 8961329b-08a2-4c7c-88cf-b5cca43ca678 |
| object_type | network |
| project_id | 4ff7e3db6d64429db1b39f993bb99411 |
| target_project_id | ba08ccc271614bf1add0902f73690bac |
+-------------------+--------------------------------------+
user1 (overcloud) [stack@undercloud-0 ~]$ openstack subnet create --network rbacnet1 --subnet-range 10.0.100.0/24 --dhcp rbacsubnet1
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| allocation_pools | 10.0.100.2-10.0.100.254 |
| cidr | 10.0.100.0/24 |
| created_at | 2019-06-19T18:10:50Z |
| description | |
| dns_nameservers | |
| enable_dhcp | True |
| gateway_ip | 10.0.100.1 |
| host_routes | |
| id | c00f565b-e4eb-4bf5-852c-8a22b95911fa |
| ip_version | 4 |
| ipv6_address_mode | None |
| ipv6_ra_mode | None |
| name | rbacsubnet1 |
| network_id | 8961329b-08a2-4c7c-88cf-b5cca43ca678 |
| project_id | 4ff7e3db6d64429db1b39f993bb99411 |
| revision_number | 0 |
| segment_id | None |
| service_types | |
| subnetpool_id | None |
| tags | |
| updated_at | 2019-06-19T18:10:50Z |
+-------------------+--------------------------------------+
4. As user2 try to create a port with a fixed IP
user2 (overcloud) [stack@undercloud-0 ~]$ . user2_rc
user2 (overcloud) [stack@undercloud-0 ~]$ openstack network list
+--------------------------------------+----------+--------------------------------------+
| ID | Name | Subnets |
+--------------------------------------+----------+--------------------------------------+
| 8961329b-08a2-4c7c-88cf-b5cca43ca678 | rbacnet1 | c00f565b-e4eb-4bf5-852c-8a22b95911fa |
| d6540930-acb2-48f9-8451-da3c5c7622aa | public | 2b59541a-8e12-499f-88d6-7c79c56fcfe9 |
+--------------------------------------+----------+--------------------------------------+
user2 (overcloud) [stack@undercloud-0 ~]$ openstack network show rbacnet1 | grep shared
| shared | True |
user2 (overcloud) [stack@undercloud-0 ~]$ openstack port create portx10 --network rbacnet1 --fixed-ip subnet=rbacsubnet1,ip-address=10.0.100.123
HttpException: 403: Client Error for url: http://10.0.0.112:9696/v2.0/ports, {"NeutronError": {"message": "(rule:create_port and rule:create_port:fixed_ips) is disallowed by policy", "type": "PolicyNotAuthorized", "detail": ""}}
5. Creating the port without fixed IP works fine
user2 (overcloud) [stack@undercloud-0 ~]$ openstack port create portx11 --network rbacnet1
+-----------------------+----------------------------------------------------------------------------+
| Field | Value |
+-----------------------+----------------------------------------------------------------------------+
| admin_state_up | UP |
| allowed_address_pairs | |
| binding_host_id | None |
| binding_profile | None |
| binding_vif_details | None |
| binding_vif_type | None |
| binding_vnic_type | normal |
| created_at | 2019-06-19T18:28:49Z |
| data_plane_status | None |
| description | |
| device_id | |
| device_owner | |
| dns_assignment | None |
| dns_domain | None |
| dns_name | None |
| extra_dhcp_opts | |
| fixed_ips | ip_address='10.0.100.15', subnet_id='c00f565b-e4eb-4bf5-852c-8a22b95911fa' |
| id | 7fe12e20-0e2c-4801-9742-da2eeef63f43 |
| mac_address | fa:16:3e:99:6e:6b |
| name | portx11 |
| network_id | 8961329b-08a2-4c7c-88cf-b5cca43ca678 |
| port_security_enabled | True |
| project_id | ba08ccc271614bf1add0902f73690bac |
| qos_policy_id | None |
| revision_number | 2 |
| security_group_ids | 063f4f88-24f8-442d-b1b4-d0f9e5bc4f9b |
| status | DOWN |
| tags | |
| trunk_details | None |
| updated_at | 2019-06-19T18:28:49Z |
+-----------------------+----------------------------------------------------------------------------+
Expected result is that the port with fixed IP should be created following the policy.
Even though rule:shared should be honored, the policy is intepreted within an admin context where the network looks like shared = False.
Description is similar to an older bug:
- https://bugs.launchpad.net/neutron/+bug/1543756
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1833455/+subscriptions
References
