yahoo-eng-team team mailing list archive

Thread
Date
[Bug 2052937] Re: Policy: binding operations are prohibited for service role

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Bence Romsics <2052937@xxxxxxxxxxxxxxxxxx>
Date: Tue, 13 Feb 2024 14:31:45 -0000
Reply-to: Bug 2052937 <2052937@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Hi Bartosz,

Yes, by default this is prohibited. However oslo.policy based policies
are configurable.

For example, in my devstack I don't have ironic deployed, but I
reproduced the problem using the unprivileged 'demo' user:

$ source openrc demo demo
$ openstack network create net0
$ openstack subnet create --network net0 --subnet-range 10.0.0.0/24 subnet0
$ openstack port create --network net0 port0
$ openstack port set --host devstack0 port0
ForbiddenException: 403: Client Error for url: http://192.168.122.225:9696/networking/v2.0/ports/4d6fa1c1-bbb0-4298-a901-c3dec7f1b1f1, (rule:update_port and rule:update_port:binding:host_id) is disallowed by policy

While in q-svc logs I had this:

febr 13 14:03:42 devstack0 neutron-server[5814]: DEBUG neutron.policy [None req-9fa226e6-2ae5-4abe-9b70-efc749ef4913 None demo] Enforcing rules: ['update_port', 'update_port:binding:host_id'] {{(pid=5814) log_rule_list /opt/stack/neutron/neutron/policy.py:457}}
febr 13 14:03:42 devstack0 neutron-server[5814]: DEBUG neutron.policy [None req-9fa226e6-2ae5-4abe-9b70-efc749ef4913 None demo] Failed policy enforce for 'update_port' {{(pid=5814) enforce /opt/stack/neutron/neutron/policy.py:530}}

The non-default policy configuration is looked up by oslo.policy in
/etc/neutron/policy.{json,yaml}. Today I believe the yaml format is
preferred. But for some reason devstack still created the old json
format for me. So first I migrated the one-line json file to yaml:

$ cat /etc/neutron/policy.json
{"context_is_admin":  "role:admin or user_name:neutron"}

$ cat /etc/neutron/policy.yaml 
"context_is_admin": "role:admin or user_name:neutron"

I believe this all was deployment (here devstack) specific.

I also told oslo.policy running in neutron-server to use the yaml formatted file:
/etc/neutron/neutron.conf:
[oslo_policy]
policy_file = /etc/neutron/policy.yaml

Then I changed the policy for port binding from the default:
"update_port:binding:host_id": "rule:admin_only" to
"update_port:binding:host_id": "rule:admin_or_owner"

After this change the above "openstack port set --host" starts working.
Even without restarting neutron-server.

In your environment of course you want to use a different rule, maybe something like this:
"update_port:binding:host_id": "(rule:admin_only) or (rule:service_api)"

Since I don't have ironic in this environment, I could not test this
rule. But please have a look at the documentation, I'm virtually sure
there's a way to set what you need.

https://docs.openstack.org/neutron/latest/configuration/policy.html
https://docs.openstack.org/neutron/latest/configuration/policy-sample.html
https://docs.openstack.org/oslo.policy/latest/

Regarding the default, I believe for most environments it is good that
only the admin can change port bindings. If you believe differently,
please share your reasons. Until then I'm marking this as not a bug.

Regards,
Bence

** Changed in: neutron
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2052937

Title:
  Policy: binding operations are prohibited for service role

Status in neutron:
  Invalid

Bug description:
  Create/update port binding:* policies are admin only, which prevents
  for example ironic service user with service role to manage baremetal
  ports:

  
  "http://192.0.2.10:9292";, "region": "RegionOne"}], "id": "e6e42ef4fc984e71b575150e59a92704", "type": "image", "name": "glance"}]}} get_auth_ref /var/lib/kolla/venv/lib64/python3.9/site-packages/keystoneauth1/identity/v3/base.py:189
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron [None req-6737aef3-c823-4f7c-95ec-1c9f38b14faa a4dbb0dc59024c199843cea86603308b 9fd64a4cbd774756869cb3968de2e9b6 - - default default] Unable to clear binding profile for neutron port 291dbb7b-5cc8-480d-b39d-eb849bcb4a64. Error: ForbiddenException: 403: Client Error for url: http://192.0.2.10:9696/v2.0/ports/291dbb7b-5cc8-480d-b39d-eb849bcb4a64, ((rule:update_port and rule:update_port:binding:host_id) and rule:update_port:binding:profile) is disallowed by policy: openstack.exceptions.ForbiddenException: ForbiddenException: 403: Client Error for url: http://192.0.2.10:9696/v2.0/ports/291dbb7b-5cc8-480d-b39d-eb849bcb4a64, ((rule:update_port and rule:update_port:binding:host_id) and rule:update_port:binding:profile) is disallowed by policy
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron Traceback (most recent call last):
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron   File "/var/lib/kolla/venv/lib64/python3.9/site-packages/ironic/common/neutron.py", line 130, in unbind_neutron_port
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron     update_neutron_port(context, port_id, attrs_unbind, client)
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron   File "/var/lib/kolla/venv/lib64/python3.9/site-packages/ironic/common/neutron.py", line 109, in update_neutron_port
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron     return client.update_port(port_id, **attrs)
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron   File "/var/lib/kolla/venv/lib64/python3.9/site-packages/openstack/network/v2/_proxy.py", line 2992, in update_port
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron     return self._update(_port.Port, port, if_revision=if_revision, **attrs)
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron   File "/var/lib/kolla/venv/lib64/python3.9/site-packages/openstack/proxy.py", line 61, in check
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron     return method(self, expected, actual, *args, **kwargs)
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron   File "/var/lib/kolla/venv/lib64/python3.9/site-packages/openstack/network/v2/_proxy.py", line 202, in _update
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron     return res.commit(self, base_path=base_path, if_revision=if_revision)
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron   File "/var/lib/kolla/venv/lib64/python3.9/site-packages/openstack/resource.py", line 1803, in commit
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron     return self._commit(
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron   File "/var/lib/kolla/venv/lib64/python3.9/site-packages/openstack/resource.py", line 1848, in _commit
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron     self._translate_response(response, has_body=has_body)
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron   File "/var/lib/kolla/venv/lib64/python3.9/site-packages/openstack/resource.py", line 1287, in _translate_response
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron     exceptions.raise_from_response(response, error_message=error_message)
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron   File "/var/lib/kolla/venv/lib64/python3.9/site-packages/openstack/exceptions.py", line 250, in raise_from_response
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron     raise cls(
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron openstack.exceptions.ForbiddenException: ForbiddenException: 403: Client Error for url: http://192.0.2.10:9696/v2.0/ports/291dbb7b-5cc8-480d-b39d-eb849bcb4a64, ((rule:update_port and rule:update_port:binding:host_id) and rule:update_port:binding:profile) is disallowed by policy

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2052937/+subscriptions
References

[Bug 2052937] [NEW] Policy: binding operations are prohibited for service role
From: Bartosz Bezak, 2024-02-12