yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #90369
[Bug 1996421] Re: 'openstack port list' should display ports only from current project
Hello:
Neutron currently doesn't provide a RBAC functionality on ports. As
commented, the port is listed depending on (1) the network RBAC policies
and (2) the policy rules.
When a network is created by project A, the user of this project is
able, by default, to see all ports belonging to this network. If this
user shared via RBAC this network with project B, this other project
will be able to create ports on this network.
What we have here is the following:
* Project A user will be able to list all ports in the network because:
** The project owns the network
** By default, the "get_port" policy includes "rule:admin_owner_or_network_owner". That means all ports belonging to this network, regardless of the owner, will be shown.
* Project B user will be able to list all ports in this network
**created by this project**. Project B user won't be able to list
Project A ports (owner of the network).
The first case is what we have in this bug. This is the expected correct behaviour of Neutron.
Regarding to the interaction with other projects, as in this case Nova,
this is a known issue that is also affecting for example the security
groups retrieval. In this case Nova always rejects a port that doesn't
belong to the same project ID executing the request. With the correct
policies ('update_port:device_owner', 'update_port:binding:host_id' and
'update_port:binding:profile'), Nova should be able to bind a port. As
commented before, this Nova check is something that needs to be
discussed. Nova should be able, with the correct checks, to use ports
belonging to other projects; but this RFE is out of scope in this bug.
If in your case you want to exclude the ports created by other projects in the "port list" command, you can use the correct Neutron policies. For example:
"get_port": "rule:admin_or_owner"
I'll set the status of this bug to "Opinion" unless more information is
provided.
Regards.
** Changed in: neutron
Status: In Progress => Opinion
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1996421
Title:
'openstack port list' should display ports only from current project
Status in neutron:
Opinion
Bug description:
When a network is shared between multiple projects, "openstack port
list" command shows ports from all projects which have access to that
network. This is a problem because each port actually has a
“project_id“ property, and the port cannot be used for any instance
outside of that project. When a user attempts to start an instance
with a port from a different project, it fails like this:
nova.exception.PortNotUsable
Steps to reproduce in horizon :-
===============================
1. create network and share network between 2 projects
2. from Project A, manually create a port “Test Port“ on the network
note that the port will have the project_id for Project A
3. from Project B, open the Launch Instance workflow navigate to
“Network Ports”
4. At this point, you will see “Test Port” in the list. If you use it
for the instance from Project B, the instance will fail
Currently, User can use --project-id="xxxx" as option to "openstack
port list" command to get desired result. But this needs to be taken
care at every neutron client e.g. nova or manila or openstackclient or
horizon.
Instead, ff we modify neutron itself to return only ports belonging to
current project in 'openstack port list' command response (without
specifying --project-id) (at least for non-admin users), it would be
good improvement.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1996421/+subscriptions
References