yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #92774
[Bug 2030747] Re: Port creation on shared network fails with port_security defined
Hello Roman:
This is the default security policy for non-admin users. By default, a
non-admin user cannot create a port defining the flags "--disable-port-
security" or "--enable-port-security". A non-admin user must create a
port with "--enable-port-security" implicitly defined.
To avoid this default rule, you can change your Neutron policy file, adding a rule similar to the "create_port" one:
"create_port:port_security_enabled": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"
Take in mind that this is a potential security issue because you are
allowing non-admin users to create ports without any security.
I'm closing this bug.
Regards.
** Changed in: neutron
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2030747
Title:
Port creation on shared network fails with port_security defined
Status in neutron:
Invalid
Bug description:
OpenStack deployment: kolla-ansible 2023.1
Neutron version is reported as
ubuntu@os:~$ docker exec neutron_server neutron --version
neutron CLI is deprecated and will be removed in the Z cycle. Use openstack CLI instead.
9.0.0
When user tries to create port on shared network, operation fails when option
[--enable-port-security | --disable-port-security]
is specified. If not, port created successfully with port_security_enabled = True
ubuntu@os:~$ openstack port create --network 30e7e427-c5f7-46b2-b04d-3ebccff5c532 --fixed-ip subnet=cf062558-3c32-48c3-96d1-dcaebad3ee71 --project 71558625372d467c85061759fd2e6bf8 --enable-port-security myport-01
ForbiddenException: 403: Client Error for url: https://os-api:9696/v2.0/ports, ((rule:create_port and (rule:create_port:fixed_ips and (rule:create_port:fixed_ips:subnet_id))) and rule:create_port:port_security_enabled) is disallowed by policy
ubuntu@os:~$ openstack port create --network 30e7e427-c5f7-46b2-b04d-3ebccff5c532 --fixed-ip subnet=cf062558-3c32-48c3-96d1-dcaebad3ee71 --project 71558625372d467c85061759fd2e6bf8 --disable-port-security myport-01
ForbiddenException: 403: Client Error for url: https://os-api:9696/v2.0/ports, ((rule:create_port and (rule:create_port:fixed_ips and (rule:create_port:fixed_ips:subnet_id))) and rule:create_port:port_security_enabled) is disallowed by policy
ubuntu@os:~$ openstack port create --network 30e7e427-c5f7-46b2-b04d-3ebccff5c532 --fixed-ip subnet=cf062558-3c32-48c3-96d1-dcaebad3ee71 --project 71558625372d467c85061759fd2e6bf8 myport-01
+-------------------------+--------------------------------------------------------------------------------+
| Field | Value |
+-------------------------+--------------------------------------------------------------------------------+
| admin_state_up | UP |
| allowed_address_pairs | |
| binding_host_id | None |
| binding_profile | None |
| binding_vif_details | None |
| binding_vif_type | None |
| binding_vnic_type | normal |
| created_at | 2023-08-08T11:56:10Z |
| data_plane_status | None |
| description | |
| device_id | |
| device_owner | |
| device_profile | None |
| dns_assignment | None |
| dns_domain | None |
| dns_name | None |
| extra_dhcp_opts | |
| fixed_ips | ip_address='100.100.100.100', subnet_id='cf062558-3c32-48c3-96d1-dcaebad3ee71' |
| id | 19ba7a13-4f83-4b9f-81d1-2a2571758ef7 |
| ip_allocation | None |
| mac_address | fa:16:3e:32:64:43 |
| name | myport-01 |
| network_id | 30e7e427-c5f7-46b2-b04d-3ebccff5c532 |
| numa_affinity_policy | None |
| port_security_enabled | True |
| project_id | 71558625372d467c85061759fd2e6bf8 |
| propagate_uplink_status | None |
| qos_network_policy_id | 4898087a-930f-4cc8-ac8d-f464b81c2df1 |
| qos_policy_id | None |
| resource_request | None |
| revision_number | 1 |
| security_group_ids | da5cef69-0aa6-4dbf-ba5f-a57e68fadc3a |
| status | DOWN |
| tags | |
| trunk_details | None |
| updated_at | 2023-08-08T11:56:10Z |
+-------------------------+--------------------------------------------------------------------------------+
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2030747/+subscriptions