yahoo-eng-team team mailing list archive

[Rodolfo Alonso <1996421@xxxxxxxxxxxxxxxxxx>]

Hello:

Neutron currently doesn't provide a RBAC functionality on ports. As
commented, the port is listed depending on (1) the network RBAC policies
and (2) the policy rules.

When a network is created by project A, the user of this project is
able, by default, to see all ports belonging to this network. If this
user shared via RBAC this network with project B, this other project
will be able to create ports on this network.

What we have here is the following:
* Project A user will be able to list all ports in the network because:
** The project owns the network
** By default, the "get_port" policy includes "rule:admin_owner_or_network_owner". That means all ports belonging to this network, regardless of the owner, will be shown.

* Project B user will be able to list all ports in this network
**created by this project**. Project B user won't be able to list
Project A ports (owner of the network).


The first case is what we have in this bug. This is the expected correct behaviour of Neutron.

Regarding to the interaction with other projects, as in this case Nova,
this is a known issue that is also affecting for example the security
groups retrieval. In this case Nova always rejects a port that doesn't
belong to the same project ID executing the request. With the correct
policies ('update_port:device_owner', 'update_port:binding:host_id' and
'update_port:binding:profile'), Nova should be able to bind a port. As
commented before, this Nova check is something that needs to be
discussed. Nova should be able, with the correct checks, to use ports
belonging to other projects; but this RFE is out of scope in this bug.

If in your case you want to exclude the ports created by other projects in the "port list" command, you can use the correct Neutron policies. For example:
  "get_port": "rule:admin_or_owner"

I'll set the status of this bug to "Opinion" unless more information is
provided.

Regards.


** Changed in: neutron
       Status: In Progress => Opinion

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1996421

Title:
  'openstack port list' should display ports only from current project

Status in neutron:
  Opinion

Bug description:
  When a network is shared between multiple projects, "openstack port
  list" command shows ports from all projects which have access to that
  network. This is a problem because each port actually has a
  “project_id“ property, and the port cannot be used for any instance
  outside of that project. When a user attempts to start an instance
  with a port from a different project, it fails like this:
  nova.exception.PortNotUsable

  Steps to reproduce in horizon :-
  ===============================

  1. create network and share network between 2 projects
  2. from Project A, manually create a port “Test Port“ on the network
     note that the port will have the project_id for Project A
  3. from Project B, open the Launch Instance workflow navigate to
     “Network Ports”
  4. At this point, you will see “Test Port” in the list. If you use it
     for the instance from Project B, the instance will fail

  Currently, User can use --project-id="xxxx" as option to "openstack
  port list" command to get desired result. But this needs to be taken
  care at every neutron client e.g. nova or manila or openstackclient or
  horizon.

  Instead, ff we modify neutron itself to return only ports belonging to
  current project in 'openstack port list' command response (without
  specifying --project-id) (at least for non-admin users), it would be
  good improvement.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1996421/+subscriptions