← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1942615] [NEW] SG shared through RBAC mechanism can't be used to spawn instances

 

Public bug reported:

Since some time Security groups can be shared with specific tenants
using RBAC mechanism but it's not possible to share SG that way with
TARGET-PROJECT and then, as a member or admin in that TARGET-PROJECT
spawn vm which will use that SG:

$ openstack server create --image cirros-0.5.1-x86_64-disk --flavor m1.tiny --network TARGET-PROJECT-net1 --security-group sharedsg --wait testsg004
/usr/lib/python3/dist-packages/secretstorage/dhcrypto.py:15: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
  from cryptography.utils import int_from_bytes
/usr/lib/python3/dist-packages/secretstorage/util.py:19: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
  from cryptography.utils import int_from_bytes
Error creating server: testsg004
Error creating server


It is like that because nova in https://github.com/openstack/nova/blob/713b653fc0e09301a5674316a49a6f5ffd152b4c/nova/network/neutron.py#L814 is asking for security groups filtered by tenant_id. And Neutron returns only SGs which are owned to that tenant, without the ones shared with tenant using RBAC.

Looking at neutron api-ref https://docs.openstack.org/api-
ref/network/v2/index.html?expanded=list-networks-detail,list-security-
groups-detail#security-groups-security-groups it clearly says that it
filters by tenant_id that OWNS the resource so it seems like correct
(documented) behaviour.

Now the question is - should we relax that filter and return SG which
project owns and which are shared with tenant? Or should we add
additional flag to API, like "include_shared" which could be used by
Nova? Or maybe do You have any other ideas about how to solve that
issue?

** Affects: neutron
     Importance: Medium
         Status: Confirmed


** Tags: api

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1942615

Title:
  SG shared through RBAC mechanism can't be used to spawn instances

Status in neutron:
  Confirmed

Bug description:
  Since some time Security groups can be shared with specific tenants
  using RBAC mechanism but it's not possible to share SG that way with
  TARGET-PROJECT and then, as a member or admin in that TARGET-PROJECT
  spawn vm which will use that SG:

  $ openstack server create --image cirros-0.5.1-x86_64-disk --flavor m1.tiny --network TARGET-PROJECT-net1 --security-group sharedsg --wait testsg004
  /usr/lib/python3/dist-packages/secretstorage/dhcrypto.py:15: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
    from cryptography.utils import int_from_bytes
  /usr/lib/python3/dist-packages/secretstorage/util.py:19: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
    from cryptography.utils import int_from_bytes
  Error creating server: testsg004
  Error creating server

  
  It is like that because nova in https://github.com/openstack/nova/blob/713b653fc0e09301a5674316a49a6f5ffd152b4c/nova/network/neutron.py#L814 is asking for security groups filtered by tenant_id. And Neutron returns only SGs which are owned to that tenant, without the ones shared with tenant using RBAC.

  Looking at neutron api-ref https://docs.openstack.org/api-
  ref/network/v2/index.html?expanded=list-networks-detail,list-security-
  groups-detail#security-groups-security-groups it clearly says that it
  filters by tenant_id that OWNS the resource so it seems like correct
  (documented) behaviour.

  Now the question is - should we relax that filter and return SG which
  project owns and which are shared with tenant? Or should we add
  additional flag to API, like "include_shared" which could be used by
  Nova? Or maybe do You have any other ideas about how to solve that
  issue?

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1942615/+subscriptions