yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #80815
[Bug 1793207] Re: external_gateway_info enable_snat attribute should be owner-modifiable
Was just going through old bugs and patches and noticed this one,
updating based on information I received.
>From Salvatore:
"My recollection is the same as Akihiro. A tenant has no knowledge of IP
addressing beyond the resource it owns, and since a no-snat
configuration implies E-W L3 forwarding an “admin” entity should be
required to set this attribute. Another reason making this capability
self-service was breaking some use cases (more specifically an IPv6 only
cloud service that never did NAT, I think you remember them😉 ). On the
other hand the main driver were other operators complaining that in
their environment they really did not need NAT whereas the reference
implementation was SNATting by default. So limiting the capability to
admins was also one of the many compromises we did back in the heyday of
Neutron…"
So having this an admin-controlled setting is mandatory.
** Changed in: neutron
Status: In Progress => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1793207
Title:
external_gateway_info enable_snat attribute should be owner-modifiable
Status in neutron:
Won't Fix
Bug description:
Currently, policy.json restricts who can change the 'enable_snat'
setting of a router. For example:
stack@18-04:~/devstack$ openstack router show -c external_gateway_info router1
+-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| external_gateway_info | {"network_id": "91bdb30f-9be8-45ac-a313-bb33a99e92dc", "enable_snat": true, "external_fixed_ips": [{"subnet_id": "e9b318e1-01af-49a1-90bc-ffe949a42e05", "ip_address": "172.24.4.3"}, {"subnet_id": "73f36385-d58a-4b74-9262-bcb603e73aee", "ip_address": "2001:db8::6"}]} |
+-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
stack@18-04:~/devstack$ openstack router set --disable-snat --external-gateway 91bdb30f-9be8-45ac-a313-bb33a99e92dc router1
HttpException: 403: Client Error for url: http://10.18.57.23:9696/v2.0/routers/783d4563-c4d4-417c-a5de-eb7668373f63, {"NeutronError": {"message": "(rule:update_router and (rule:update_router:external_gateway_info and (rule:update_router:external_gateway_info:network_id and rule:update_router:external_gateway_info:enable_snat))) is disallowed by policy", "type": "PolicyNotAuthorized", "detail": ""}}
I'm not sure there's a good reason the owner can't modify this, and
looking back through the blueprints there was only a mention of it -
"for instance a provider might want to restrict enable_snat to admin
only users" - so it seems it was intended for the owner originally
with the caveat that the admin could restrict if necessary.
This fix would be as simple as updating these two entries:
"create_router:external_gateway_info:enable_snat": "rule:admin_only"
"update_router:external_gateway_info:enable_snat": "rule:admin_only"
to have:
"rule:admin_or_owner"
Perhaps there's something I'm missing, so will need to discuss with
others to see if this should change.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1793207/+subscriptions
References
