yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #87073
[Bug 1942615] [NEW] SG shared through RBAC mechanism can't be used to spawn instances
Public bug reported:
Since some time Security groups can be shared with specific tenants
using RBAC mechanism but it's not possible to share SG that way with
TARGET-PROJECT and then, as a member or admin in that TARGET-PROJECT
spawn vm which will use that SG:
$ openstack server create --image cirros-0.5.1-x86_64-disk --flavor m1.tiny --network TARGET-PROJECT-net1 --security-group sharedsg --wait testsg004
/usr/lib/python3/dist-packages/secretstorage/dhcrypto.py:15: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
from cryptography.utils import int_from_bytes
/usr/lib/python3/dist-packages/secretstorage/util.py:19: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
from cryptography.utils import int_from_bytes
Error creating server: testsg004
Error creating server
It is like that because nova in https://github.com/openstack/nova/blob/713b653fc0e09301a5674316a49a6f5ffd152b4c/nova/network/neutron.py#L814 is asking for security groups filtered by tenant_id. And Neutron returns only SGs which are owned to that tenant, without the ones shared with tenant using RBAC.
Looking at neutron api-ref https://docs.openstack.org/api-
ref/network/v2/index.html?expanded=list-networks-detail,list-security-
groups-detail#security-groups-security-groups it clearly says that it
filters by tenant_id that OWNS the resource so it seems like correct
(documented) behaviour.
Now the question is - should we relax that filter and return SG which
project owns and which are shared with tenant? Or should we add
additional flag to API, like "include_shared" which could be used by
Nova? Or maybe do You have any other ideas about how to solve that
issue?
** Affects: neutron
Importance: Medium
Status: Confirmed
** Tags: api
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1942615
Title:
SG shared through RBAC mechanism can't be used to spawn instances
Status in neutron:
Confirmed
Bug description:
Since some time Security groups can be shared with specific tenants
using RBAC mechanism but it's not possible to share SG that way with
TARGET-PROJECT and then, as a member or admin in that TARGET-PROJECT
spawn vm which will use that SG:
$ openstack server create --image cirros-0.5.1-x86_64-disk --flavor m1.tiny --network TARGET-PROJECT-net1 --security-group sharedsg --wait testsg004
/usr/lib/python3/dist-packages/secretstorage/dhcrypto.py:15: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
from cryptography.utils import int_from_bytes
/usr/lib/python3/dist-packages/secretstorage/util.py:19: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
from cryptography.utils import int_from_bytes
Error creating server: testsg004
Error creating server
It is like that because nova in https://github.com/openstack/nova/blob/713b653fc0e09301a5674316a49a6f5ffd152b4c/nova/network/neutron.py#L814 is asking for security groups filtered by tenant_id. And Neutron returns only SGs which are owned to that tenant, without the ones shared with tenant using RBAC.
Looking at neutron api-ref https://docs.openstack.org/api-
ref/network/v2/index.html?expanded=list-networks-detail,list-security-
groups-detail#security-groups-security-groups it clearly says that it
filters by tenant_id that OWNS the resource so it seems like correct
(documented) behaviour.
Now the question is - should we relax that filter and return SG which
project owns and which are shared with tenant? Or should we add
additional flag to API, like "include_shared" which could be used by
Nova? Or maybe do You have any other ideas about how to solve that
issue?
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1942615/+subscriptions