It is the expected behavior as its original design.
In Neutron API, if a user has admin role, the user can see all
resources from all tenants.
CLI just sends a request to Neutron API, so the result of net-list
with admin role lists both networks.
In addition, a network with router:external=True (in this case
"public" network) is visible to
non-admin users so that regular users can know floating IP pools.
(a network with router:external=True is a floating IP pool.)
In Horizon, the network list in Project panel only lists networks from
the current project.
It is the intended behaviors. The admin network panel is used to lists
all networks from all projects.
Regarding "public" network, it is not listed in the project network
panel because "public" network
is a floating IP pool and there is no need to be listed in the network
panel. It is used in Floating IP
Allocation form.
Regarding VM launching, it is the intended behavior too.
In CLI case, Neutron API allows admin users to create a port on any networks
even if a network belongs to other projects. This is the reason
"admin" user with "admin" tenant
can launch an instance connected to "private" network of "demo" project.
In Horizon, Horizon honors the typical use case to avoid complicated use cases.
Horizon developers think it is a special use where admin user launch
an instance connected to other projects.
This is the reason an admin user cannot launch an instance connected
to "private" network from "demo" project.
If there is such special needs, it can be done through CLI.
I hope it helps you understand the behavior.
Thanks,
Akihiro
On Mon, Oct 6, 2014 at 8:29 AM, Danny Choi (dannchoi)
<dannc...@cisco.com> wrote:
> Hi,
>
> I used devstack to deploy Juno OpenStack.
>
> By default, devstack created 2 users: admin (with role “admin”) and demo.
>
> localadmin@qa4:~/devstack$ source openrc admin admin
>
> localadmin@qa4:~/devstack$ keystone user-list
>
> +----------------------------------+----------+---------+----------------------+
>
> | id | name | enabled | email
> |
>
> +----------------------------------+----------+---------+----------------------+
>
> | 8ad8cd428ac94cd1a888d4372a61cabc | admin | True |
> | <<<
>
> | e057de661e644f709899b169dd716037 | alt_demo | True |
> alt_d...@example.com |
>
> | d55afe55b4de4815bc3e832b2684abd8 | cinder | True |
> |
>
> | 57a3f7eefcff4a37b064938ebf7335da | demo | True | d...@example.com
> | <<<
>
> | e40971caaf8040d2bc91ec62ad846377 | glance | True |
> |
>
> | b6920c6626144595807f40ac36a453e4 | heat | True |
> |
>
> | 71af3e61cb63442ea6a91fcd221487dd | neutron | True |
> |
>
> | 259fb79c8bfa4c0f9d5df37c45868ce8 | nova | True |
> |
>
> +----------------------------------+----------+---------+----------------------+
>
> localadmin@qa4:~/devstack$ keystone tenant-list
>
> +----------------------------------+--------------------+---------+
>
> | id | name | enabled |
>
> +----------------------------------+--------------------+---------+
>
> | 55ec74628b004fedbef9b8cad130a442 | admin | True | <<<
>
> | 2e6b7da08b9643cc95518c8efc7f71c3 | alt_demo | True |
>
> | 51dcdd7f6f6545bd8bb49aeb556dab48 | demo | True | <<<
>
> | e9f10b3e51fd4ff68150ec82eeeac3e4 | invisible_to_admin | True |
>
> | 4264b64d7697419886ebf2ef141069a5 | service | True |
>
> +----------------------------------+--------------------+---------+
>
> localadmin@qa4:~/devstack$ keystone user-get admin
>
> +----------+----------------------------------+
>
> | Property | Value |
>
> +----------+----------------------------------+
>
> | email | |
>
> | enabled | True |
>
> | id | 8ad8cd428ac94cd1a888d4372a61cabc |
>
> | name | admin |
>
> | tenantId | 55ec74628b004fedbef9b8cad130a442 | <<< tenant=admin
>
> | username | admin |
>
> +----------+----------------------------------+
>
> localadmin@qa4:~/devstack$ keystone user-get demo
>
> +----------+----------------------------------+
>
> | Property | Value |
>
> +----------+----------------------------------+
>
> | email | d...@example.com |
>
> | enabled | True |
>
> | id | 57a3f7eefcff4a37b064938ebf7335da |
>
> | name | demo |
>
> | tenantId | 51dcdd7f6f6545bd8bb49aeb556dab48 | <<< tenant=demo
>
> | username | demo |
>
> +----------+----------------------------------+
>
> localadmin@qa4:~/devstack$ keystone user-role-list --user admin --tenant
> admin
>
> +----------------------------------+------------------+----------------------------------+----------------------------------+
>
> | id | name | user_id
> | tenant_id |
>
> +----------------------------------+------------------+----------------------------------+----------------------------------+
>
> | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |
> 8ad8cd428ac94cd1a888d4372a61cabc | 55ec74628b004fedbef9b8cad130a442 |
>
> | 1f4f0d145e71452d9e633c63baae3696 | admin |
> 8ad8cd428ac94cd1a888d4372a61cabc | 55ec74628b004fedbef9b8cad130a442 |
>
> | 98b3a4cad94949319d99acde115f682b | heat_stack_owner |
> 8ad8cd428ac94cd1a888d4372a61cabc | 55ec74628b004fedbef9b8cad130a442 |
>
> +----------------------------------+------------------+----------------------------------+----------------------------------+
>
> localadmin@qa4:~/devstack$ keystone user-role-list --user demo --tenant demo
>
> +----------------------------------+------------------+----------------------------------+----------------------------------+
>
> | id | name | user_id
> | tenant_id |
>
> +----------------------------------+------------------+----------------------------------+----------------------------------+
>
> | b3831a6a7eac4b8996ba428345cb9067 | Member |
> 57a3f7eefcff4a37b064938ebf7335da | 51dcdd7f6f6545bd8bb49aeb556dab48 |
>
> | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |
> 57a3f7eefcff4a37b064938ebf7335da | 51dcdd7f6f6545bd8bb49aeb556dab48 |
>
> | 750c89eea84f4e53852033331c835617 | anotherrole |
> 57a3f7eefcff4a37b064938ebf7335da | 51dcdd7f6f6545bd8bb49aeb556dab48 |
>
> | 98b3a4cad94949319d99acde115f682b | heat_stack_owner |
> 57a3f7eefcff4a37b064938ebf7335da | 51dcdd7f6f6545bd8bb49aeb556dab48 |
>
> +----------------------------------+------------------+----------------------------------+----------------------------------+
>
>
> There are 2 networks created, public (tenant = admin) and private (tenant =
> demo); and both networks are not shared.
>
> localadmin@qa4:~/devstack$ neutron net-list
>
> +--------------------------------------+---------+----------------------------------------------------+
>
> | id | name | subnets
> |
>
> +--------------------------------------+---------+----------------------------------------------------+
>
> | 2d113f8c-d742-4f2f-8cf2-a8e56749d51d | public |
> ab40f80e-aaf6-43ab-a1da-92f8ac7f7246 172.24.4.0/24 |
>
> | 94d1e13c-cebc-419d-af06-49e6b4f01304 | private |
> 1265bbd4-e775-4d9b-a7d5-498848c09b37 10.0.0.0/24 |
>
> +--------------------------------------+---------+----------------------------------------------------+
>
> localadmin@qa4:~/devstack$ neutron net-show public
>
> +---------------------------+--------------------------------------+
>
> | Field | Value |
>
> +---------------------------+--------------------------------------+
>
> | admin_state_up | True |
>
> | id | 2d113f8c-d742-4f2f-8cf2-a8e56749d51d |
>
> | name | public |
>
> | provider:network_type | vlan |
>
> | provider:physical_network | p1p1 |
>
> | provider:segmentation_id | 301 |
>
> | router:external | True |
>
> | shared | False |
>
> | status | ACTIVE |
>
> | subnets | ab40f80e-aaf6-43ab-a1da-92f8ac7f7246 |
>
> | tenant_id | 55ec74628b004fedbef9b8cad130a442 | <<<
> tenant=admin
>
> +---------------------------+--------------------------------------+
>
> localadmin@qa4:~/devstack$ neutron net-show private
>
> +---------------------------+--------------------------------------+
>
> | Field | Value |
>
> +---------------------------+--------------------------------------+
>
> | admin_state_up | True |
>
> | id | 94d1e13c-cebc-419d-af06-49e6b4f01304 |
>
> | name | private |
>
> | provider:network_type | vlan |
>
> | provider:physical_network | p1p1 |
>
> | provider:segmentation_id | 300 |
>
> | router:external | False |
>
> | shared | False |
>
> | status | ACTIVE |
>
> | subnets | 1265bbd4-e775-4d9b-a7d5-498848c09b37 |
>
> | tenant_id | 51dcdd7f6f6545bd8bb49aeb556dab48 | <<<
> tenant=demo
>
> +---------------------------+--------------------------------------+
>
>
> In CLI, both networks are visible for both users admin and demo.
>
> localadmin@qa4:~/devstack$ source openrc admin admin
>
> localadmin@qa4:~/devstack$ neutron net-list
>
> +--------------------------------------+---------+----------------------------------------------------+
>
> | id | name | subnets
> |
>
> +--------------------------------------+---------+----------------------------------------------------+
>
> | 2d113f8c-d742-4f2f-8cf2-a8e56749d51d | public |
> ab40f80e-aaf6-43ab-a1da-92f8ac7f7246 172.24.4.0/24 |
>
> | 94d1e13c-cebc-419d-af06-49e6b4f01304 | private |
> 1265bbd4-e775-4d9b-a7d5-498848c09b37 10.0.0.0/24 |
>
> +--------------------------------------+---------+----------------------------------------------------+
>
> localadmin@qa4:~/devstack$
>
> localadmin@qa4:~/devstack$
>
> localadmin@qa4:~/devstack$ source openrc demo demo
>
> localadmin@qa4:~/devstack$ neutron net-list
>
> +--------------------------------------+---------+--------------------------------------------------+
>
> | id | name | subnets
> |
>
> +--------------------------------------+---------+--------------------------------------------------+
>
> | 2d113f8c-d742-4f2f-8cf2-a8e56749d51d | public |
> ab40f80e-aaf6-43ab-a1da-92f8ac7f7246 |
>
> | 94d1e13c-cebc-419d-af06-49e6b4f01304 | private |
> 1265bbd4-e775-4d9b-a7d5-498848c09b37 10.0.0.0/24 |
>
> +--------------------------------------+---------+--------------------------------------------------+
>
>
>
> In Horizon dashboard, I logged in as user admin.
>
>
> From the Projects pulldown, select admin.
>
> At the left pane, Project->Network->Networks, only the “public" network is
> shown.
>
>
> From the Projects pulldown, select demo.
>
> At the left pane, Project->Network->Networks, only the “private" network is
> shown.
>
>
> As a result, when I launch an instance with Horizon dashboard, I can only
> attach the public network (when project = admin)
>
> or the private network (when project = demo).
>
>
> However, in CLI, as user admin, I can launch an instance with public or
> private network.
>
>
> localadmin@qa4:~/devstack$ source openrc admin admin
>
> localadmin@qa4:~/devstack$ neutron net-list
>
> +--------------------------------------+---------+----------------------------------------------------+
>
> | id | name | subnets
> |
>
> +--------------------------------------+---------+----------------------------------------------------+
>
> | 2d113f8c-d742-4f2f-8cf2-a8e56749d51d | public |
> ab40f80e-aaf6-43ab-a1da-92f8ac7f7246 172.24.4.0/24 |
>
> | 94d1e13c-cebc-419d-af06-49e6b4f01304 | private |
> 1265bbd4-e775-4d9b-a7d5-498848c09b37 10.0.0.0/24 |
>
> +--------------------------------------+---------+----------------------------------------------------+
>
> localadmin@qa4:~/devstack$ nova boot --image cirros-0.3.2-x86_64-uec
> --flavor 1 --nic net-id=2d113f8c-d742-4f2f-8cf2-a8e56749d51d vm1
>
> +--------------------------------------+----------------------------------------------------------------+
>
> | Property | Value
> |
>
> +--------------------------------------+----------------------------------------------------------------+
>
> | OS-DCF:diskConfig | MANUAL
> |
>
> | OS-EXT-AZ:availability_zone | nova
> |
>
> | OS-EXT-SRV-ATTR:host | -
> |
>
> | OS-EXT-SRV-ATTR:hypervisor_hostname | -
> |
>
> | OS-EXT-SRV-ATTR:instance_name | instance-0000000a
> |
>
> | OS-EXT-STS:power_state | 0
> |
>
> | OS-EXT-STS:task_state | scheduling
> |
>
> | OS-EXT-STS:vm_state | building
> |
>
> | OS-SRV-USG:launched_at | -
> |
>
> | OS-SRV-USG:terminated_at | -
> |
>
> | accessIPv4 |
> |
>
> | accessIPv6 |
> |
>
> | adminPass | 3ZGJRjr6s3bk
> |
>
> | config_drive |
> |
>
> | created | 2014-10-05T23:03:36Z
> |
>
> | flavor | m1.tiny (1)
> |
>
> | hostId |
> |
>
> | id |
> c308e2a1-1763-4d05-84ed-8fcf5f02abab |
>
> | image | cirros-0.3.2-x86_64-uec
> (ea46d1d4-6c10-4f91-96e3-9ccd9cb8d76b) |
>
> | key_name | -
> |
>
> | metadata | {}
> |
>
> | name | vm1
> |
>
> | os-extended-volumes:volumes_attached | []
> |
>
> | progress | 0
> |
>
> | security_groups | default
> |
>
> | status | BUILD
> |
>
> | tenant_id | 55ec74628b004fedbef9b8cad130a442
> |
>
> | updated | 2014-10-05T23:03:36Z
> |
>
> | user_id | 8ad8cd428ac94cd1a888d4372a61cabc
> |
>
> +--------------------------------------+----------------------------------------------------------------+
>
> localadmin@qa4:~/devstack$ nova list
>
> +--------------------------------------+------+--------+------------+-------------+-------------------+
>
> | ID | Name | Status | Task State | Power
> State | Networks |
>
> +--------------------------------------+------+--------+------------+-------------+-------------------+
>
> | c308e2a1-1763-4d05-84ed-8fcf5f02abab | vm1 | ACTIVE | - |
> Running | public=172.24.4.4 |
>
> +--------------------------------------+------+--------+------------+-------------+-------------------+
>
> localadmin@qa4:~/devstack$ nova boot --image cirros-0.3.2-x86_64-uec
> --flavor 1 --nic net-id=94d1e13c-cebc-419d-af06-49e6b4f01304 vm2
>
> +--------------------------------------+----------------------------------------------------------------+
>
> | Property | Value
> |
>
> +--------------------------------------+----------------------------------------------------------------+
>
> | OS-DCF:diskConfig | MANUAL
> |
>
> | OS-EXT-AZ:availability_zone | nova
> |
>
> | OS-EXT-SRV-ATTR:host | -
> |
>
> | OS-EXT-SRV-ATTR:hypervisor_hostname | -
> |
>
> | OS-EXT-SRV-ATTR:instance_name | instance-0000000b
> |
>
> | OS-EXT-STS:power_state | 0
> |
>
> | OS-EXT-STS:task_state | scheduling
> |
>
> | OS-EXT-STS:vm_state | building
> |
>
> | OS-SRV-USG:launched_at | -
> |
>
> | OS-SRV-USG:terminated_at | -
> |
>
> | accessIPv4 |
> |
>
> | accessIPv6 |
> |
>
> | adminPass | fLQ7xn8pgAhc
> |
>
> | config_drive |
> |
>
> | created | 2014-10-05T23:04:09Z
> |
>
> | flavor | m1.tiny (1)
> |
>
> | hostId |
> |
>
> | id |
> 536a509f-7941-466a-9508-ce26f599f10a |
>
> | image | cirros-0.3.2-x86_64-uec
> (ea46d1d4-6c10-4f91-96e3-9ccd9cb8d76b) |
>
> | key_name | -
> |
>
> | metadata | {}
> |
>
> | name | vm2
> |
>
> | os-extended-volumes:volumes_attached | []
> |
>
> | progress | 0
> |
>
> | security_groups | default
> |
>
> | status | BUILD
> |
>
> | tenant_id | 55ec74628b004fedbef9b8cad130a442
> |
>
> | updated | 2014-10-05T23:04:09Z
> |
>
> | user_id | 8ad8cd428ac94cd1a888d4372a61cabc
> |
>
> +--------------------------------------+----------------------------------------------------------------+
>
> localadmin@qa4:~/devstack$ nova list
>
> +--------------------------------------+------+--------+------------+-------------+-------------------+
>
> | ID | Name | Status | Task State | Power
> State | Networks |
>
> +--------------------------------------+------+--------+------------+-------------+-------------------+
>
> | c308e2a1-1763-4d05-84ed-8fcf5f02abab | vm1 | ACTIVE | - |
> Running | public=172.24.4.4 |
>
> | 536a509f-7941-466a-9508-ce26f599f10a | vm2 | ACTIVE | - |
> Running | private=10.0.0.9 |
>
> +--------------------------------------+------+--------+------------+-------------+—————————+
>
>
> And as user demo, I can only attach the private network to an instance.
>
>
> localadmin@qa4:~/devstack$ source openrc demo demo
>
> localadmin@qa4:~/devstack$ neutron net-list
>
> +--------------------------------------+---------+--------------------------------------------------+
>
> | id | name | subnets
> |
>
> +--------------------------------------+---------+--------------------------------------------------+
>
> | 2d113f8c-d742-4f2f-8cf2-a8e56749d51d | public |
> ab40f80e-aaf6-43ab-a1da-92f8ac7f7246 |
>
> | 94d1e13c-cebc-419d-af06-49e6b4f01304 | private |
> 1265bbd4-e775-4d9b-a7d5-498848c09b37 10.0.0.0/24 |
>
> +--------------------------------------+---------+--------------------------------------------------+
>
> localadmin@qa4:~/devstack$ nova boot --image cirros-0.3.2-x86_64-uec
> --flavor 1 --nic net-id=94d1e13c-cebc-419d-af06-49e6b4f01304 cirros-1
>
> +--------------------------------------+----------------------------------------------------------------+
>
> | Property | Value
> |
>
> +--------------------------------------+----------------------------------------------------------------+
>
> | OS-DCF:diskConfig | MANUAL
> |
>
> | OS-EXT-AZ:availability_zone | nova
> |
>
> | OS-EXT-STS:power_state | 0
> |
>
> | OS-EXT-STS:task_state | scheduling
> |
>
> | OS-EXT-STS:vm_state | building
> |
>
> | OS-SRV-USG:launched_at | -
> |
>
> | OS-SRV-USG:terminated_at | -
> |
>
> | accessIPv4 |
> |
>
> | accessIPv6 |
> |
>
> | adminPass | gYHta22xTK9a
> |
>
> | config_drive |
> |
>
> | created | 2014-10-05T23:17:28Z
> |
>
> | flavor | m1.tiny (1)
> |
>
> | hostId |
> |
>
> | id |
> 791ad866-420d-4e32-baad-b34f0b6e50d1 |
>
> | image | cirros-0.3.2-x86_64-uec
> (ea46d1d4-6c10-4f91-96e3-9ccd9cb8d76b) |
>
> | key_name | -
> |
>
> | metadata | {}
> |
>
> | name | cirros-1
> |
>
> | os-extended-volumes:volumes_attached | []
> |
>
> | progress | 0
> |
>
> | security_groups | default
> |
>
> | status | BUILD
> |
>
> | tenant_id | 51dcdd7f6f6545bd8bb49aeb556dab48
> |
>
> | updated | 2014-10-05T23:17:28Z
> |
>
> | user_id | 57a3f7eefcff4a37b064938ebf7335da
> |
>
> +--------------------------------------+----------------------------------------------------------------+
>
> localadmin@qa4:~/devstack$ nova list
>
> +--------------------------------------+----------+--------+------------+-------------+-------------------+
>
> | ID | Name | Status | Task State |
> Power State | Networks |
>
> +--------------------------------------+----------+--------+------------+-------------+-------------------+
>
> | 791ad866-420d-4e32-baad-b34f0b6e50d1 | cirros-1 | ACTIVE | - |
> Running | private=10.0.0.12 |
>
> +--------------------------------------+----------+--------+------------+-------------+-------------------+
>
> localadmin@qa4:~/devstack$ nova boot --image cirros-0.3.2-x86_64-uec
> --flavor 1 --nic net-id=2d113f8c-d742-4f2f-8cf2-a8e56749d51d cirros-2
>
> +--------------------------------------+----------------------------------------------------------------+
>
> | Property | Value
> |
>
> +--------------------------------------+----------------------------------------------------------------+
>
> | OS-DCF:diskConfig | MANUAL
> |
>
> | OS-EXT-AZ:availability_zone | nova
> |
>
> | OS-EXT-STS:power_state | 0
> |
>
> | OS-EXT-STS:task_state | scheduling
> |
>
> | OS-EXT-STS:vm_state | building
> |
>
> | OS-SRV-USG:launched_at | -
> |
>
> | OS-SRV-USG:terminated_at | -
> |
>
> | accessIPv4 |
> |
>
> | accessIPv6 |
> |
>
> | adminPass | aZRHa3ZgQAHP
> |
>
> | config_drive |
> |
>
> | created | 2014-10-05T23:18:13Z
> |
>
> | flavor | m1.tiny (1)
> |
>
> | hostId |
> |
>
> | id |
> 6ffd8081-8659-40b3-b7c2-dc6746855692 |
>
> | image | cirros-0.3.2-x86_64-uec
> (ea46d1d4-6c10-4f91-96e3-9ccd9cb8d76b) |
>
> | key_name | -
> |
>
> | metadata | {}
> |
>
> | name | cirros-2
> |
>
> | os-extended-volumes:volumes_attached | []
> |
>
> | progress | 0
> |
>
> | security_groups | default
> |
>
> | status | BUILD
> |
>
> | tenant_id | 51dcdd7f6f6545bd8bb49aeb556dab48
> |
>
> | updated | 2014-10-05T23:18:13Z
> |
>
> | user_id | 57a3f7eefcff4a37b064938ebf7335da
> |
>
> +--------------------------------------+----------------------------------------------------------------+
>
> localadmin@qa4:~/devstack$ nova list
>
> +--------------------------------------+----------+--------+------------+-------------+-------------------+
>
> | ID | Name | Status | Task State |
> Power State | Networks |
>
> +--------------------------------------+----------+--------+------------+-------------+-------------------+
>
> | 791ad866-420d-4e32-baad-b34f0b6e50d1 | cirros-1 | ACTIVE | - |
> Running | private=10.0.0.12 |
>
> | 6ffd8081-8659-40b3-b7c2-dc6746855692 | cirros-2 | ERROR | - |
> NOSTATE | |
>
> +--------------------------------------+----------+--------+------------+-------------+—————————+
>
>
>
> Is this the expected behavior?
>
>
> Thanks,
>
> Danny
>
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
--
Akihiro Motoki <amot...@gmail.com>
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
