Public bug reported: There is no possibility to set network as not shared if it was also shared via RBAC policy for some specific tenant.
How to reproduce bug: 1. Create 2 projects (tenants): tenantA and tenantB 2. TenantA creates an external network (ext_net_A) + subnet 3. For the external network neutron automatically creates a wildcard 'access_as_external' RBAC rule 4. TenantA can create a new port on ext_net_A; TenantB is not allowed to do the same 5. Create a new 'access_as_shared' RBAC rule granting TenantB access to ext_net_A 6. TenantB is now able to create a port on ext_net_A 7. TenantA sets the shared flag to True on ext_net_A (openstack network set --share <net ID>), which creates a new wildcard 'access_as_shared' RBAC rule 8. TenantA tries to unshare ext_net_A (openstack network set --no-share <net ID>), which fails with: HttpException: Conflict There were no ports added or any other changes made to ext_net_A between sharing and unsharing it. Neutron should be able to unshare the network since the only tenant using it (tenantB) is already covered by a specific RBAC rule created in step 5. ** Affects: neutron Importance: Medium Assignee: Slawek Kaplonski (slaweq) Status: Confirmed ** Tags: api queens-backport-potential -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1764330 Title: Cannot set --no-share on shared network covered also by "access_as_shared" RBAC policy Status in neutron: Confirmed Bug description: There is no possibility to set network as not shared if it was also shared via RBAC policy for some specific tenant. How to reproduce bug: 1. Create 2 projects (tenants): tenantA and tenantB 2. TenantA creates an external network (ext_net_A) + subnet 3. For the external network neutron automatically creates a wildcard 'access_as_external' RBAC rule 4. TenantA can create a new port on ext_net_A; TenantB is not allowed to do the same 5. Create a new 'access_as_shared' RBAC rule granting TenantB access to ext_net_A 6. TenantB is now able to create a port on ext_net_A 7. TenantA sets the shared flag to True on ext_net_A (openstack network set --share <net ID>), which creates a new wildcard 'access_as_shared' RBAC rule 8. TenantA tries to unshare ext_net_A (openstack network set --no-share <net ID>), which fails with: HttpException: Conflict There were no ports added or any other changes made to ext_net_A between sharing and unsharing it. Neutron should be able to unshare the network since the only tenant using it (tenantB) is already covered by a specific RBAC rule created in step 5. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1764330/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp