Re: [Users] Using RBAC with OpenContrail

[Stehlik Lukas]

Hi Christian,

as far as I know and what I have tested in devstack with OC, there is no 
support/implementation of neutron RBAC in OpenContrail.

If you try to create neutron RBAC (e.g. neutron rbac-create 
--target-tenant 74af79f96837481da190e359430826cf --action 
access_as_shared --type network 23b6a0fa-4aa6-4220-8ee4-3d2c6715dbc9), 
you will get message "Request Failed: internal server error while 
processing your request. Neutron server returns request_ids: 
['req-c95efe06-8c21-4862-9539-e7d6b1ad1721']"

And from neutron log:

2017-05-24 08:11:41.524 DEBUG neutron.api.v2.base 
[req-c95efe06-8c21-4862-9539-e7d6b1ad1721 admin 
bfeaebaaa63c4f00a984d93f22928d88] Request body: {u'rbac_policy': 
{u'action': u'access_as_shared', u'object_type': u'network', 
u'target_tenant': u'74af79f96837481da190e359430826cf', u'object_id': 
u'23b6a0fa-4aa6-4220-8ee4-3d2c6715dbc9'}} from (pid=8331) 
prepare_request_body /opt/stack/neutron/neutron/api/v2/base.py:662
2017-05-24 08:11:41.526 ERROR neutron.api.v2.resource 
[req-c95efe06-8c21-4862-9539-e7d6b1ad1721 admin 
bfeaebaaa63c4f00a984d93f22928d88] create failed
2017-05-24 08:11:41.526 TRACE neutron.api.v2.resource Traceback (most 
recent call last):
2017-05-24 08:11:41.526 TRACE neutron.api.v2.resource   File 
"/opt/stack/neutron/neutron/api/v2/resource.py", line 84, in resource
2017-05-24 08:11:41.526 TRACE neutron.api.v2.resource result = 
method(request=request, **args)
2017-05-24 08:11:41.526 TRACE neutron.api.v2.resource   File 
"/opt/stack/neutron/neutron/api/v2/base.py", line 410, in create
2017-05-24 08:11:41.526 TRACE neutron.api.v2.resource return 
self._create(request, body, **kwargs)
2017-05-24 08:11:41.526 TRACE neutron.api.v2.resource   File 
"/usr/local/lib/python2.7/dist-packages/oslo_db/api.py", line 148, in 
wrapper
2017-05-24 08:11:41.526 TRACE neutron.api.v2.resource ectxt.value = 
e.inner_exc
2017-05-24 08:11:41.526 TRACE neutron.api.v2.resource   File 
"/usr/local/lib/python2.7/dist-packages/oslo_utils/excutils.py", line 
220, in __exit__
2017-05-24 08:11:41.526 TRACE neutron.api.v2.resource self.force_reraise()
2017-05-24 08:11:41.526 TRACE neutron.api.v2.resource   File 
"/usr/local/lib/python2.7/dist-packages/oslo_utils/excutils.py", line 
196, in force_reraise
2017-05-24 08:11:41.526 TRACE neutron.api.v2.resource 
six.reraise(self.type_, self.value, self.tb)
2017-05-24 08:11:41.526 TRACE neutron.api.v2.resource   File 
"/usr/local/lib/python2.7/dist-packages/oslo_db/api.py", line 138, in 
wrapper
2017-05-24 08:11:41.526 TRACE neutron.api.v2.resource return f(*args, 
**kwargs)
2017-05-24 08:11:41.526 TRACE neutron.api.v2.resource   File 
"/opt/stack/neutron/neutron/api/v2/base.py", line 521, in _create
2017-05-24 08:11:41.526 TRACE neutron.api.v2.resource     obj = 
do_create(body)
2017-05-24 08:11:41.526 TRACE neutron.api.v2.resource   File 
"/opt/stack/neutron/neutron/api/v2/base.py", line 484, in do_create
2017-05-24 08:11:41.526 TRACE neutron.api.v2.resource obj_creator = 
getattr(self._plugin, action)
2017-05-24 08:11:41.526 TRACE neutron.api.v2.resource AttributeError: 
'NeutronPluginContrailCoreV3' object has no attribute 'create_rbac_policy'
2017-05-24 08:11:41.526 TRACE neutron.api.v2.resource
2017-05-24 08:11:41.588 INFO neutron.wsgi 
[req-c95efe06-8c21-4862-9539-e7d6b1ad1721 admin 
bfeaebaaa63c4f00a984d93f22928d88] 192.168.10.7 - - [24/May/2017 
08:11:41] "POST /v2.0/rbac-policies.json HTTP/1.1" 500 383 0.104980


It is quite surprising because neutron RBAC is part of OpenStack since 
Liberty release.

BR,
Lukas




Dne 26.07.2017 v 17:40 christian.schill...@o-s.de napsal(a):

Hey there,

I am trying to use RBAC in OpenContrail, to share the Networks to 
single tenants.

I am using Openstack Newton with Keystone-API-Version 2.0.

Is this even possible?

Or is RBAC just supported with Keystone v3?

Do you know any nice tutorial for using RBAC?

Would be glad to get some help!

Greetings, Christian,

Christian Schilling



_______________________________________________
Users mailing list
Users@lists.opencontrail.org
http://lists.opencontrail.org/mailman/listinfo/users_lists.opencontrail.org


_______________________________________________
Users mailing list
Users@lists.opencontrail.org
http://lists.opencontrail.org/mailman/listinfo/users_lists.opencontrail.org