← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #79971

[Bug 1843907] Re: Cannot create provider network as admin of a domain

  Thread PreviousDate PreviousThread Next 
Just found out about https://bugs.launchpad.net/charm-neutron-
api/+bug/1830536

This seems to be fallout from that security hole fix. Marking bug as
invalid.

** Changed in: neutron
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1843907

Title:
  Cannot create provider network as admin of a domain

Status in neutron:
  Invalid

Bug description:
  In a bionic queens openstack cloud, when using multiple domains (ie.
  admin_domain and domain2), the admin of domain2 can't create a
  provider network. The error is:

  $ openstack network create --provider-network-type vlan --provider-
  physical-network physnet1 --provider-segment 3127 Critical-Infra

  Error while executing command: HttpException: Unknown error,
  {"NeutronError": {"message": "(((rule:create_network and
  rule:create_network:provider:physical_network) and
  rule:create_network:provider:network_type) and
  rule:create_network:provider:segmentation_id) is disallowed by
  policy", "type": "PolicyNotAuthorized", "detail": ""}}

  Output with --debug enabled: http://paste.openstack.org/show/775776/

  No changes have been made to the policy.json files of the cloud.

  This same command works in the same scenario in a xenial queens cloud.

  openstack role assignment list:

  | Member  | | mygroup@mydomain.local | admin@mydomain.local |                |  | False  |
  | Admin   | | mygroup@mydomain.local | admin@mydomain.local |                |  | False  |
  | Member  | | mygroup@mydomain.local |                      | mydomain.local |  | False  |
  | Admin   | | mygroup@mydomain.local |                      | mydomain.local |  | False  |

  It doesn't matter if domain2 is a keystone ldap domain or a regular
  created domain.

  On a side note, uploading a public image to glance with that admin of
  domain2 works, so this is not an openstack-wide issue of that admin
  not being recognized as an admin in general, but something more
  granular.

  Ubuntu 18.04 bionic
  neutron version 2:12.0.6-0ubuntu3
  Neutron Api charm #277

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1843907/+subscriptions

References

  Thread PreviousDate PreviousThread Next