yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #79970
[Bug 1843907] [NEW] Cannot create provider network as admin of a domain
Public bug reported:
In a bionic queens openstack cloud, when using multiple domains (ie.
admin_domain and domain2), the admin of domain2 can't create a provider
network. The error is:
$ openstack network create --provider-network-type vlan --provider-
physical-network physnet1 --provider-segment 3127 Critical-Infra
Error while executing command: HttpException: Unknown error,
{"NeutronError": {"message": "(((rule:create_network and
rule:create_network:provider:physical_network) and
rule:create_network:provider:network_type) and
rule:create_network:provider:segmentation_id) is disallowed by policy",
"type": "PolicyNotAuthorized", "detail": ""}}
Output with --debug enabled: http://paste.openstack.org/show/775776/
No changes have been made to the policy.json files of the cloud.
This same command works in the same scenario in a xenial queens cloud.
openstack role assignment list:
| Member | | mygroup@mydomain.local | admin@mydomain.local | | | False |
| Admin | | mygroup@mydomain.local | admin@mydomain.local | | | False |
| Member | | mygroup@mydomain.local | | mydomain.local | | False |
| Admin | | mygroup@mydomain.local | | mydomain.local | | False |
It doesn't matter if domain2 is a keystone ldap domain or a regular created domain.
On a side note, uploading a public image to glance with that admin of
domain2 works, so this is not an openstack-wide issue of that admin not
being recognized as an admin in general, but something more granular.
Ubuntu 16.04 xenial
neutron version 2:12.0.6-0ubuntu3
Neutron Api charm #277
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1843907
Title:
Cannot create provider network as admin of a domain
Status in neutron:
New
Bug description:
In a bionic queens openstack cloud, when using multiple domains (ie.
admin_domain and domain2), the admin of domain2 can't create a
provider network. The error is:
$ openstack network create --provider-network-type vlan --provider-
physical-network physnet1 --provider-segment 3127 Critical-Infra
Error while executing command: HttpException: Unknown error,
{"NeutronError": {"message": "(((rule:create_network and
rule:create_network:provider:physical_network) and
rule:create_network:provider:network_type) and
rule:create_network:provider:segmentation_id) is disallowed by
policy", "type": "PolicyNotAuthorized", "detail": ""}}
Output with --debug enabled: http://paste.openstack.org/show/775776/
No changes have been made to the policy.json files of the cloud.
This same command works in the same scenario in a xenial queens cloud.
openstack role assignment list:
| Member | | mygroup@mydomain.local | admin@mydomain.local | | | False |
| Admin | | mygroup@mydomain.local | admin@mydomain.local | | | False |
| Member | | mygroup@mydomain.local | | mydomain.local | | False |
| Admin | | mygroup@mydomain.local | | mydomain.local | | False |
It doesn't matter if domain2 is a keystone ldap domain or a regular created domain.
On a side note, uploading a public image to glance with that admin of
domain2 works, so this is not an openstack-wide issue of that admin
not being recognized as an admin in general, but something more
granular.
Ubuntu 16.04 xenial
neutron version 2:12.0.6-0ubuntu3
Neutron Api charm #277
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1843907/+subscriptions
Follow ups
