yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2105502] Re: service role permissions not enough for octavia allowed address pair driver

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <2105502@xxxxxxxxxxxxxxxxxx>
Date: Tue, 06 May 2025 11:31:24 -0000
Reply-to: Bug 2105502 <2105502@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/c/openstack/neutron/+/945329
Committed: https://opendev.org/openstack/neutron/commit/65b9dc622f00e4aeac0e4f9a71db690a377cd558
Submitter: "Zuul (22348)"
Branch:    master

commit 65b9dc622f00e4aeac0e4f9a71db690a377cd558
Author: Tobias Urdin <tobias.urdin@xxxxxxxxxx>
Date:   Mon Mar 24 16:16:25 2025 +0100

    Allow service role more RBAC access for Octavia
    
    This updates the default RBAC rules for multiple
    resources to allow for a seamless integration with
    Octavia without having to give Octavia system scope
    admin in the entire cloud.
    
    The current use of the service role in the RBAC
    rules allows for pretty much all of the permissions
    that Octavia needs today except for a few.
    
    It needs get_subnet to be able to retrieve a subnet
    and check the details, this is low impact as we
    already allow get_network.
    
    It also needs get_network_ip_availability because it
    supports to automatically select a subnet (if none
    is given) on a network based on the amount of
    available IP addresses.
    
    The default Amphora compute driver for Octavia uses
    a keepalived and HAProxy implementation that uses
    unicast VRRP for the VIP address, this VIP address
    is added as an allowed address pair on the ports
    for the amphora compute instances so the VIP port
    itself is not bound.
    
    Octavia also depends on being able to populate the
    ``device_id`` field on a port which means it also
    needs this patch [1] together with this one.
    
    [1] https://review.opendev.org/c/openstack/neutron/+/947003
    
    Closes-Bug: #2105502
    Change-Id: I089999cece698af1a3b54d1341d9004d4108ae44


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2105502

Title:
  service role permissions not enough for octavia allowed address pair
  driver

Status in neutron:
  Fix Released

Bug description:
  The octavia project's network driver need more permissions to work
  without admin role, this is for the allowed address pair network
  driver that allocates ports for tenant networks on a project that
  octavia handles where it places amphora instances

  This should be fixed so that it only needs to have the service role by
  filling the gaps for the service role.

  This is:

  - get_subnet

  - get_network_ip_availability

  - allowed address pairs in create and update port

  - device_id in create and update port as proposed in [1]

  [1] https://review.opendev.org/c/openstack/neutron/+/861169

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2105502/+subscriptions

References

[Bug 2105502] [NEW] service role permissions not enough for octavia allowed address pair driver
From: Tobias Urdin, 2025-03-31