← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #94969

[Bug 1942615] Re: [RFE] SG shared through RBAC mechanism can't be used to spawn instances

  Thread PreviousDate PreviousThread Next 
** Also affects: ubuntu
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1942615

Title:
  [RFE] SG shared through RBAC mechanism can't be used to spawn
  instances

Status in neutron:
  In Progress
Status in Ubuntu:
  New

Bug description:
  Since some time Security groups can be shared with specific tenants
  using RBAC mechanism but it's not possible to share SG that way with
  TARGET-PROJECT and then, as a member or admin in that TARGET-PROJECT
  spawn vm which will use that SG:

  $ openstack server create --image cirros-0.5.1-x86_64-disk --flavor m1.tiny --network TARGET-PROJECT-net1 --security-group sharedsg --wait testsg004
  /usr/lib/python3/dist-packages/secretstorage/dhcrypto.py:15: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
    from cryptography.utils import int_from_bytes
  /usr/lib/python3/dist-packages/secretstorage/util.py:19: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
    from cryptography.utils import int_from_bytes
  Error creating server: testsg004
  Error creating server

  
  It is like that because nova in https://github.com/openstack/nova/blob/713b653fc0e09301a5674316a49a6f5ffd152b4c/nova/network/neutron.py#L814 is asking for security groups filtered by tenant_id. And Neutron returns only SGs which are owned to that tenant, without the ones shared with tenant using RBAC.

  Looking at neutron api-ref https://docs.openstack.org/api-
  ref/network/v2/index.html?expanded=list-networks-detail,list-security-
  groups-detail#security-groups-security-groups it clearly says that it
  filters by tenant_id that OWNS the resource so it seems like correct
  (documented) behaviour.

  Now the question is - should we relax that filter and return SG which
  project owns and which are shared with tenant? Or should we add
  additional flag to API, like "include_shared" which could be used by
  Nova? Or maybe do You have any other ideas about how to solve that
  issue?

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1942615/+subscriptions

References

  Thread PreviousDate PreviousThread Next