← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 2030747] Re: Port creation on shared network fails with port_security defined

 

Hello Roman:

This is the default security policy for non-admin users. By default, a
non-admin user cannot create a port defining the flags "--disable-port-
security" or "--enable-port-security". A non-admin user must create a
port with "--enable-port-security" implicitly defined.

To avoid this default rule, you can change your Neutron policy file, adding a rule similar to the "create_port" one:
  "create_port:port_security_enabled": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

Take in mind that this is a potential security issue because you are
allowing non-admin users to create ports without any security.

I'm closing this bug.

Regards.


** Changed in: neutron
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2030747

Title:
  Port creation on shared network fails with port_security defined

Status in neutron:
  Invalid

Bug description:
  OpenStack deployment: kolla-ansible 2023.1
  Neutron version is reported as 

  ubuntu@os:~$ docker exec neutron_server neutron --version
  neutron CLI is deprecated and will be removed in the Z cycle. Use openstack CLI instead.
  9.0.0

  When user tries to create port on shared network, operation fails when option
  [--enable-port-security | --disable-port-security]
  is specified. If not, port created successfully with port_security_enabled = True

  ubuntu@os:~$ openstack port create --network 30e7e427-c5f7-46b2-b04d-3ebccff5c532 --fixed-ip subnet=cf062558-3c32-48c3-96d1-dcaebad3ee71 --project 71558625372d467c85061759fd2e6bf8 --enable-port-security myport-01
  ForbiddenException: 403: Client Error for url: https://os-api:9696/v2.0/ports, ((rule:create_port and (rule:create_port:fixed_ips and (rule:create_port:fixed_ips:subnet_id))) and rule:create_port:port_security_enabled) is disallowed by policy
  ubuntu@os:~$ openstack port create --network 30e7e427-c5f7-46b2-b04d-3ebccff5c532 --fixed-ip subnet=cf062558-3c32-48c3-96d1-dcaebad3ee71 --project 71558625372d467c85061759fd2e6bf8 --disable-port-security myport-01
  ForbiddenException: 403: Client Error for url: https://os-api:9696/v2.0/ports, ((rule:create_port and (rule:create_port:fixed_ips and (rule:create_port:fixed_ips:subnet_id))) and rule:create_port:port_security_enabled) is disallowed by policy
  ubuntu@os:~$ openstack port create --network 30e7e427-c5f7-46b2-b04d-3ebccff5c532 --fixed-ip subnet=cf062558-3c32-48c3-96d1-dcaebad3ee71 --project 71558625372d467c85061759fd2e6bf8 myport-01
  +-------------------------+--------------------------------------------------------------------------------+
  | Field                   | Value                                                                          |
  +-------------------------+--------------------------------------------------------------------------------+
  | admin_state_up          | UP                                                                             |
  | allowed_address_pairs   |                                                                                |
  | binding_host_id         | None                                                                           |
  | binding_profile         | None                                                                           |
  | binding_vif_details     | None                                                                           |
  | binding_vif_type        | None                                                                           |
  | binding_vnic_type       | normal                                                                         |
  | created_at              | 2023-08-08T11:56:10Z                                                           |
  | data_plane_status       | None                                                                           |
  | description             |                                                                                |
  | device_id               |                                                                                |
  | device_owner            |                                                                                |
  | device_profile          | None                                                                           |
  | dns_assignment          | None                                                                           |
  | dns_domain              | None                                                                           |
  | dns_name                | None                                                                           |
  | extra_dhcp_opts         |                                                                                |
  | fixed_ips               | ip_address='100.100.100.100', subnet_id='cf062558-3c32-48c3-96d1-dcaebad3ee71' |
  | id                      | 19ba7a13-4f83-4b9f-81d1-2a2571758ef7                                           |
  | ip_allocation           | None                                                                           |
  | mac_address             | fa:16:3e:32:64:43                                                              |
  | name                    | myport-01                                                                      |
  | network_id              | 30e7e427-c5f7-46b2-b04d-3ebccff5c532                                           |
  | numa_affinity_policy    | None                                                                           |
  | port_security_enabled   | True                                                                           |
  | project_id              | 71558625372d467c85061759fd2e6bf8                                               |
  | propagate_uplink_status | None                                                                           |
  | qos_network_policy_id   | 4898087a-930f-4cc8-ac8d-f464b81c2df1                                           |
  | qos_policy_id           | None                                                                           |
  | resource_request        | None                                                                           |
  | revision_number         | 1                                                                              |
  | security_group_ids      | da5cef69-0aa6-4dbf-ba5f-a57e68fadc3a                                           |
  | status                  | DOWN                                                                           |
  | tags                    |                                                                                |
  | trunk_details           | None                                                                           |
  | updated_at              | 2023-08-08T11:56:10Z                                                           |
  +-------------------------+--------------------------------------------------------------------------------+

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2030747/+subscriptions