Public bug reported: The network demo-net, owned by user demo, is shared with tenant demo-2. The sharing is created by demo using the command
neutron rbac-create --type network --action access_as_shared --target- tenant <demo-2-tenant-id> demo-net A user on the demo-2 tenant is can see the network demo-net: stack@Ubuntu-38:~/DEVSTACK/demo$ neutron net-list +--------------------------------------+----------+--------------------------------------------------+ | id | name | subnets | +--------------------------------------+----------+--------------------------------------------------+ | 85bb7612-e5fa-440c-bacf-86c5929298f3 | demo-net | e66487b6-430b-4fb1-8a87-ed28dd378c43 10.1.2.0/24 | | | | ff01f7ca-d838-42dc-8d86-1b2830bc4824 10.1.3.0/24 | | 5beb4080-4cf0-4921-9bbf-a7f65df6367f | public | 57485a80-815c-45ef-a0d1-ce11939d7fab | | | | 38d1ddad-8084-4d32-b142-240e16fcd5df | +--------------------------------------+----------+--------------------------------------------------+ The owner of network demo-net is able to create a port using the command 'neutron port-create demo-net --fixed-ip ... : stack@Ubuntu-38:~/DEVSTACK/devstack$ neutron port-create demo-net --fixed-ip subnet_id=ff01f7ca-d838-42dc-8d86-1b2830bc4824 Created a new port: +-----------------------+---------------------------------------------------------------------------------+ | Field | Value | +-----------------------+---------------------------------------------------------------------------------+ | admin_state_up | True | | allowed_address_pairs | | | binding:vnic_type | normal | | device_id | | | device_owner | | | dns_name | | | fixed_ips | {"subnet_id": "ff01f7ca-d838-42dc-8d86-1b2830bc4824", "ip_address": "10.1.3.6"} | | id | 37402f22-fcd5-4b01-8b01-c6734573d7a8 | | mac_address | fa:16:3e:44:71:ad | | name | | | network_id | 85bb7612-e5fa-440c-bacf-86c5929298f3 | | security_groups | 7db11aa0-3d0d-40d1-ae25-e4c02b8886ce | | status | DOWN | | tenant_id | 54913ee1ca89458ba792d685c799484d | +-----------------------+---------------------------------------------------------------------------------+ The user demo-2 of tenant demo-2 is able to create a port using the network demo-net: stack@Ubuntu-38:~/DEVSTACK/demo$ neutron port-create demo-net Created a new port: +-----------------------+---------------------------------------------------------------------------------+ | Field | Value | +-----------------------+---------------------------------------------------------------------------------+ | admin_state_up | True | | allowed_address_pairs | | | binding:vnic_type | normal | | device_id | | | device_owner | | | dns_name | | | fixed_ips | {"subnet_id": "ff01f7ca-d838-42dc-8d86-1b2830bc4824", "ip_address": "10.1.3.5"} | | id | bab87cc9-2c83-489d-a973-1a42872a3dd4 | | mac_address | fa:16:3e:c6:93:e5 | | name | | | network_id | 85bb7612-e5fa-440c-bacf-86c5929298f3 | | security_groups | 465c1c6f-e974-40e0-826e-72a2cc7d3fa4 | | status | DOWN | | tenant_id | 3dd36d3f99494454bd4f887201684b63 | +-----------------------+---------------------------------------------------------------------------------+ If the same user wants to create a port on demo-net using with a fixed IP on the 10.1.2.0/24 subnet. The port creation failed: stack@Ubuntu-38:~/DEVSTACK/demo$ neutron port-create demo-net --fixed-ip subnet_id=ff01f7ca-d838-42dc-8d86-1b2830bc4824 (rule:create_port and rule:create_port:fixed_ips) on {'binding:host_id': <object object at 0x7f1935be82a0>, 'name': '', 'allowed_address_pairs': <object object at 0x7f1935be82a0>, u'admin_state_up': True, u'network_id': u'85bb7612-e5fa-440c-bacf-86c5929298f3', 'tenant_id': u'3dd36d3f99494454bd4f887201684b63', 'extra_dhcp_opts': None, 'mac_address': <object object at 0x7f1935be82a0>, 'binding:vnic_type': 'normal', 'device_owner': '', 'dns_name': '', 'binding:profile': <object object at 0x7f1935be82a0>, u'fixed_ips': [{u'subnet_id': u'ff01f7ca-d838-42dc-8d86-1b2830bc4824'}], u'network:tenant_id': u'54913ee1ca89458ba792d685c799484d', 'security_groups': <object object at 0x7f1935be82a0>, 'device_id': ''} by {'domain': None, 'project_name': u'demo-2', 'tenant_name': u'demo-2', 'project_domain': None, 'timestamp': '2016-02-09 19:20:48.555574', 'auth_token': 'afa5047cd78b4774a6fd3ab3944f3f97', 'resource_uuid': None, 'is_admin': False, 'user': u'ca2f2bb189e6401c9c27214d4aa33563', 'tenant': u '3dd36d3f99494454bd4f887201684b63', 'read_only': False, 'project_id': u'3dd36d3f99494454bd4f887201684b63', 'user_id': u'ca2f2bb189e6401c9c27214d4aa33563', 'show_deleted': False, 'roles': [u'_member_'], 'user_identity': 'ca2f2bb189e6401c9c27214d4aa33563 3dd36d3f99494454bd4f887201684b63 - - -', 'tenant_id': u'3dd36d3f99494454bd4f887201684b63', 'request_id': 'req-7de91903-43ed-4940-a645-3418d10413ec', 'user_domain': None, 'user_name': u'demo-2'} disallowed by policy stack@Ubuntu-38:~/DEVSTACK/devstack$ The rbac rule for sharing of network demo-net with tenant "demo-2" is: stack@Ubuntu-38:~/DEVSTACK/devstack$ neutron rbac-show ea979774-8383-4a7e-8cbe-50bbd58855e5 +---------------+--------------------------------------+ | Field | Value | +---------------+--------------------------------------+ | action | access_as_shared | | id | ea979774-8383-4a7e-8cbe-50bbd58855e5 | | object_id | 85bb7612-e5fa-440c-bacf-86c5929298f3 | | object_type | network | | target_tenant | 3dd36d3f99494454bd4f887201684b63 | | tenant_id | 54913ee1ca89458ba792d685c799484d | +---------------+--------------------------------------+ ** Affects: neutron Importance: Undecided Status: New ** Tags: access-control ** Summary changed: - BAC: Port creation on a shared network failed if --fixed-ip is specified + RBAC: Port creation on a shared network failed if --fixed-ip is specified ** Summary changed: - RBAC: Port creation on a shared network failed if --fixed-ip is specified + RBAC: Port creation on a shared network failed if --fixed-ip is specified in 'neutron port-create' command -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1543756 Title: RBAC: Port creation on a shared network failed if --fixed-ip is specified in 'neutron port-create' command Status in neutron: New Bug description: The network demo-net, owned by user demo, is shared with tenant demo-2. The sharing is created by demo using the command neutron rbac-create --type network --action access_as_shared --target- tenant <demo-2-tenant-id> demo-net A user on the demo-2 tenant is can see the network demo-net: stack@Ubuntu-38:~/DEVSTACK/demo$ neutron net-list +--------------------------------------+----------+--------------------------------------------------+ | id | name | subnets | +--------------------------------------+----------+--------------------------------------------------+ | 85bb7612-e5fa-440c-bacf-86c5929298f3 | demo-net | e66487b6-430b-4fb1-8a87-ed28dd378c43 10.1.2.0/24 | | | | ff01f7ca-d838-42dc-8d86-1b2830bc4824 10.1.3.0/24 | | 5beb4080-4cf0-4921-9bbf-a7f65df6367f | public | 57485a80-815c-45ef-a0d1-ce11939d7fab | | | | 38d1ddad-8084-4d32-b142-240e16fcd5df | +--------------------------------------+----------+--------------------------------------------------+ The owner of network demo-net is able to create a port using the command 'neutron port-create demo-net --fixed-ip ... : stack@Ubuntu-38:~/DEVSTACK/devstack$ neutron port-create demo-net --fixed-ip subnet_id=ff01f7ca-d838-42dc-8d86-1b2830bc4824 Created a new port: +-----------------------+---------------------------------------------------------------------------------+ | Field | Value | +-----------------------+---------------------------------------------------------------------------------+ | admin_state_up | True | | allowed_address_pairs | | | binding:vnic_type | normal | | device_id | | | device_owner | | | dns_name | | | fixed_ips | {"subnet_id": "ff01f7ca-d838-42dc-8d86-1b2830bc4824", "ip_address": "10.1.3.6"} | | id | 37402f22-fcd5-4b01-8b01-c6734573d7a8 | | mac_address | fa:16:3e:44:71:ad | | name | | | network_id | 85bb7612-e5fa-440c-bacf-86c5929298f3 | | security_groups | 7db11aa0-3d0d-40d1-ae25-e4c02b8886ce | | status | DOWN | | tenant_id | 54913ee1ca89458ba792d685c799484d | +-----------------------+---------------------------------------------------------------------------------+ The user demo-2 of tenant demo-2 is able to create a port using the network demo-net: stack@Ubuntu-38:~/DEVSTACK/demo$ neutron port-create demo-net Created a new port: +-----------------------+---------------------------------------------------------------------------------+ | Field | Value | +-----------------------+---------------------------------------------------------------------------------+ | admin_state_up | True | | allowed_address_pairs | | | binding:vnic_type | normal | | device_id | | | device_owner | | | dns_name | | | fixed_ips | {"subnet_id": "ff01f7ca-d838-42dc-8d86-1b2830bc4824", "ip_address": "10.1.3.5"} | | id | bab87cc9-2c83-489d-a973-1a42872a3dd4 | | mac_address | fa:16:3e:c6:93:e5 | | name | | | network_id | 85bb7612-e5fa-440c-bacf-86c5929298f3 | | security_groups | 465c1c6f-e974-40e0-826e-72a2cc7d3fa4 | | status | DOWN | | tenant_id | 3dd36d3f99494454bd4f887201684b63 | +-----------------------+---------------------------------------------------------------------------------+ If the same user wants to create a port on demo-net using with a fixed IP on the 10.1.2.0/24 subnet. The port creation failed: stack@Ubuntu-38:~/DEVSTACK/demo$ neutron port-create demo-net --fixed-ip subnet_id=ff01f7ca-d838-42dc-8d86-1b2830bc4824 (rule:create_port and rule:create_port:fixed_ips) on {'binding:host_id': <object object at 0x7f1935be82a0>, 'name': '', 'allowed_address_pairs': <object object at 0x7f1935be82a0>, u'admin_state_up': True, u'network_id': u'85bb7612-e5fa-440c-bacf-86c5929298f3', 'tenant_id': u'3dd36d3f99494454bd4f887201684b63', 'extra_dhcp_opts': None, 'mac_address': <object object at 0x7f1935be82a0>, 'binding:vnic_type': 'normal', 'device_owner': '', 'dns_name': '', 'binding:profile': <object object at 0x7f1935be82a0>, u'fixed_ips': [{u'subnet_id': u'ff01f7ca-d838-42dc-8d86-1b2830bc4824'}], u'network:tenant_id': u'54913ee1ca89458ba792d685c799484d', 'security_groups': <object object at 0x7f1935be82a0>, 'device_id': ''} by {'domain': None, 'project_name': u'demo-2', 'tenant_name': u'demo-2', 'project_domain': None, 'timestamp': '2016-02-09 19:20:48.555574', 'auth_token': 'afa5047cd78b4774a6fd3ab3944f3f97', 'resource_uuid': None, 'is_admin': False, 'user': u'ca2f2bb189e6401c9c27214d4aa33563', 'tenant': u'3dd36d3f99494454bd4f887201684b63', 'read_only': False, 'project_id': u'3dd36d3f99494454bd4f887201684b63', 'user_id': u'ca2f2bb189e6401c9c27214d4aa33563', 'show_deleted': False, 'roles': [u'_member_'], 'user_identity': 'ca2f2bb189e6401c9c27214d4aa33563 3dd36d3f99494454bd4f887201684b63 - - -', 'tenant_id': u'3dd36d3f99494454bd4f887201684b63', 'request_id': 'req-7de91903-43ed-4940-a645-3418d10413ec', 'user_domain': None, 'user_name': u'demo-2'} disallowed by policy stack@Ubuntu-38:~/DEVSTACK/devstack$ The rbac rule for sharing of network demo-net with tenant "demo-2" is: stack@Ubuntu-38:~/DEVSTACK/devstack$ neutron rbac-show ea979774-8383-4a7e-8cbe-50bbd58855e5 +---------------+--------------------------------------+ | Field | Value | +---------------+--------------------------------------+ | action | access_as_shared | | id | ea979774-8383-4a7e-8cbe-50bbd58855e5 | | object_id | 85bb7612-e5fa-440c-bacf-86c5929298f3 | | object_type | network | | target_tenant | 3dd36d3f99494454bd4f887201684b63 | | tenant_id | 54913ee1ca89458ba792d685c799484d | +---------------+--------------------------------------+ To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1543756/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp