Public bug reported: 1. Create tenant1 with user1 and tenant2 with user 2, assign testrole to both
2, Change the default policy.json to allow creation of ports with fixed IP address in a shared network: ()[root@controller-2 /]# diff /etc/neutron/policy.json /etc/neutron/policy.json.bkp 78c78 < "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared", --- > "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner", 3. As user1 create a network and share it via RBAC to tenant2: user1 (overcloud) [stack@undercloud-0 ~]$ openstack network create rbacnet1 +---------------------------+--------------------------------------+ | Field | Value | +---------------------------+--------------------------------------+ | admin_state_up | UP | | availability_zone_hints | | | availability_zones | | | created_at | 2019-06-19T18:01:01Z | | description | | | dns_domain | None | | id | 8961329b-08a2-4c7c-88cf-b5cca43ca678 | | ipv4_address_scope | None | | ipv6_address_scope | None | | is_default | False | | is_vlan_transparent | None | | mtu | 1450 | | name | rbacnet1 | | port_security_enabled | True | | project_id | 4ff7e3db6d64429db1b39f993bb99411 | | provider:network_type | None | | provider:physical_network | None | | provider:segmentation_id | None | | qos_policy_id | None | | revision_number | 2 | | router:external | Internal | | segments | None | | shared | False | | status | ACTIVE | | subnets | | | tags | | | updated_at | 2019-06-19T18:01:02Z | +---------------------------+--------------------------------------+ user1 (overcloud) [stack@undercloud-0 ~]$ openstack network list +--------------------------------------+----------+--------------------------------------+ | ID | Name | Subnets | +--------------------------------------+----------+--------------------------------------+ | 8961329b-08a2-4c7c-88cf-b5cca43ca678 | rbacnet1 | | | d6540930-acb2-48f9-8451-da3c5c7622aa | public | 2b59541a-8e12-499f-88d6-7c79c56fcfe9 | +--------------------------------------+----------+--------------------------------------+ user1 (overcloud) [stack@undercloud-0 ~]$ openstack network rbac create --type network --action access_as_shared --target-project ba08ccc271614bf1add0902f73690bac rbacnet1 +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | action | access_as_shared | | id | e377033b-f374-4fd5-8015-9a7426681d7e | | name | None | | object_id | 8961329b-08a2-4c7c-88cf-b5cca43ca678 | | object_type | network | | project_id | 4ff7e3db6d64429db1b39f993bb99411 | | target_project_id | ba08ccc271614bf1add0902f73690bac | +-------------------+--------------------------------------+ user1 (overcloud) [stack@undercloud-0 ~]$ openstack subnet create --network rbacnet1 --subnet-range 10.0.100.0/24 --dhcp rbacsubnet1 +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | allocation_pools | 10.0.100.2-10.0.100.254 | | cidr | 10.0.100.0/24 | | created_at | 2019-06-19T18:10:50Z | | description | | | dns_nameservers | | | enable_dhcp | True | | gateway_ip | 10.0.100.1 | | host_routes | | | id | c00f565b-e4eb-4bf5-852c-8a22b95911fa | | ip_version | 4 | | ipv6_address_mode | None | | ipv6_ra_mode | None | | name | rbacsubnet1 | | network_id | 8961329b-08a2-4c7c-88cf-b5cca43ca678 | | project_id | 4ff7e3db6d64429db1b39f993bb99411 | | revision_number | 0 | | segment_id | None | | service_types | | | subnetpool_id | None | | tags | | | updated_at | 2019-06-19T18:10:50Z | +-------------------+--------------------------------------+ 4. As user2 try to create a port with a fixed IP user2 (overcloud) [stack@undercloud-0 ~]$ . user2_rc user2 (overcloud) [stack@undercloud-0 ~]$ openstack network list +--------------------------------------+----------+--------------------------------------+ | ID | Name | Subnets | +--------------------------------------+----------+--------------------------------------+ | 8961329b-08a2-4c7c-88cf-b5cca43ca678 | rbacnet1 | c00f565b-e4eb-4bf5-852c-8a22b95911fa | | d6540930-acb2-48f9-8451-da3c5c7622aa | public | 2b59541a-8e12-499f-88d6-7c79c56fcfe9 | +--------------------------------------+----------+--------------------------------------+ user2 (overcloud) [stack@undercloud-0 ~]$ openstack network show rbacnet1 | grep shared | shared | True | user2 (overcloud) [stack@undercloud-0 ~]$ openstack port create portx10 --network rbacnet1 --fixed-ip subnet=rbacsubnet1,ip-address=10.0.100.123 HttpException: 403: Client Error for url: http://10.0.0.112:9696/v2.0/ports, {"NeutronError": {"message": "(rule:create_port and rule:create_port:fixed_ips) is disallowed by policy", "type": "PolicyNotAuthorized", "detail": ""}} 5. Creating the port without fixed IP works fine user2 (overcloud) [stack@undercloud-0 ~]$ openstack port create portx11 --network rbacnet1 +-----------------------+----------------------------------------------------------------------------+ | Field | Value | +-----------------------+----------------------------------------------------------------------------+ | admin_state_up | UP | | allowed_address_pairs | | | binding_host_id | None | | binding_profile | None | | binding_vif_details | None | | binding_vif_type | None | | binding_vnic_type | normal | | created_at | 2019-06-19T18:28:49Z | | data_plane_status | None | | description | | | device_id | | | device_owner | | | dns_assignment | None | | dns_domain | None | | dns_name | None | | extra_dhcp_opts | | | fixed_ips | ip_address='10.0.100.15', subnet_id='c00f565b-e4eb-4bf5-852c-8a22b95911fa' | | id | 7fe12e20-0e2c-4801-9742-da2eeef63f43 | | mac_address | fa:16:3e:99:6e:6b | | name | portx11 | | network_id | 8961329b-08a2-4c7c-88cf-b5cca43ca678 | | port_security_enabled | True | | project_id | ba08ccc271614bf1add0902f73690bac | | qos_policy_id | None | | revision_number | 2 | | security_group_ids | 063f4f88-24f8-442d-b1b4-d0f9e5bc4f9b | | status | DOWN | | tags | | | trunk_details | None | | updated_at | 2019-06-19T18:28:49Z | +-----------------------+----------------------------------------------------------------------------+ Expected result is that the port with fixed IP should be created following the policy. Even though rule:shared should be honored, the policy is intepreted within an admin context where the network looks like shared = False. Description is similar to an older bug: - https://bugs.launchpad.net/neutron/+bug/1543756 ** Affects: neutron Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1833455 Title: [RBAC] User is not allowed to create port with fixed IP on shared network via RBAC Status in neutron: New Bug description: 1. Create tenant1 with user1 and tenant2 with user 2, assign testrole to both 2, Change the default policy.json to allow creation of ports with fixed IP address in a shared network: ()[root@controller-2 /]# diff /etc/neutron/policy.json /etc/neutron/policy.json.bkp 78c78 < "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared", --- > "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner", 3. As user1 create a network and share it via RBAC to tenant2: user1 (overcloud) [stack@undercloud-0 ~]$ openstack network create rbacnet1 +---------------------------+--------------------------------------+ | Field | Value | +---------------------------+--------------------------------------+ | admin_state_up | UP | | availability_zone_hints | | | availability_zones | | | created_at | 2019-06-19T18:01:01Z | | description | | | dns_domain | None | | id | 8961329b-08a2-4c7c-88cf-b5cca43ca678 | | ipv4_address_scope | None | | ipv6_address_scope | None | | is_default | False | | is_vlan_transparent | None | | mtu | 1450 | | name | rbacnet1 | | port_security_enabled | True | | project_id | 4ff7e3db6d64429db1b39f993bb99411 | | provider:network_type | None | | provider:physical_network | None | | provider:segmentation_id | None | | qos_policy_id | None | | revision_number | 2 | | router:external | Internal | | segments | None | | shared | False | | status | ACTIVE | | subnets | | | tags | | | updated_at | 2019-06-19T18:01:02Z | +---------------------------+--------------------------------------+ user1 (overcloud) [stack@undercloud-0 ~]$ openstack network list +--------------------------------------+----------+--------------------------------------+ | ID | Name | Subnets | +--------------------------------------+----------+--------------------------------------+ | 8961329b-08a2-4c7c-88cf-b5cca43ca678 | rbacnet1 | | | d6540930-acb2-48f9-8451-da3c5c7622aa | public | 2b59541a-8e12-499f-88d6-7c79c56fcfe9 | +--------------------------------------+----------+--------------------------------------+ user1 (overcloud) [stack@undercloud-0 ~]$ openstack network rbac create --type network --action access_as_shared --target-project ba08ccc271614bf1add0902f73690bac rbacnet1 +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | action | access_as_shared | | id | e377033b-f374-4fd5-8015-9a7426681d7e | | name | None | | object_id | 8961329b-08a2-4c7c-88cf-b5cca43ca678 | | object_type | network | | project_id | 4ff7e3db6d64429db1b39f993bb99411 | | target_project_id | ba08ccc271614bf1add0902f73690bac | +-------------------+--------------------------------------+ user1 (overcloud) [stack@undercloud-0 ~]$ openstack subnet create --network rbacnet1 --subnet-range 10.0.100.0/24 --dhcp rbacsubnet1 +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | allocation_pools | 10.0.100.2-10.0.100.254 | | cidr | 10.0.100.0/24 | | created_at | 2019-06-19T18:10:50Z | | description | | | dns_nameservers | | | enable_dhcp | True | | gateway_ip | 10.0.100.1 | | host_routes | | | id | c00f565b-e4eb-4bf5-852c-8a22b95911fa | | ip_version | 4 | | ipv6_address_mode | None | | ipv6_ra_mode | None | | name | rbacsubnet1 | | network_id | 8961329b-08a2-4c7c-88cf-b5cca43ca678 | | project_id | 4ff7e3db6d64429db1b39f993bb99411 | | revision_number | 0 | | segment_id | None | | service_types | | | subnetpool_id | None | | tags | | | updated_at | 2019-06-19T18:10:50Z | +-------------------+--------------------------------------+ 4. As user2 try to create a port with a fixed IP user2 (overcloud) [stack@undercloud-0 ~]$ . user2_rc user2 (overcloud) [stack@undercloud-0 ~]$ openstack network list +--------------------------------------+----------+--------------------------------------+ | ID | Name | Subnets | +--------------------------------------+----------+--------------------------------------+ | 8961329b-08a2-4c7c-88cf-b5cca43ca678 | rbacnet1 | c00f565b-e4eb-4bf5-852c-8a22b95911fa | | d6540930-acb2-48f9-8451-da3c5c7622aa | public | 2b59541a-8e12-499f-88d6-7c79c56fcfe9 | +--------------------------------------+----------+--------------------------------------+ user2 (overcloud) [stack@undercloud-0 ~]$ openstack network show rbacnet1 | grep shared | shared | True | user2 (overcloud) [stack@undercloud-0 ~]$ openstack port create portx10 --network rbacnet1 --fixed-ip subnet=rbacsubnet1,ip-address=10.0.100.123 HttpException: 403: Client Error for url: http://10.0.0.112:9696/v2.0/ports, {"NeutronError": {"message": "(rule:create_port and rule:create_port:fixed_ips) is disallowed by policy", "type": "PolicyNotAuthorized", "detail": ""}} 5. Creating the port without fixed IP works fine user2 (overcloud) [stack@undercloud-0 ~]$ openstack port create portx11 --network rbacnet1 +-----------------------+----------------------------------------------------------------------------+ | Field | Value | +-----------------------+----------------------------------------------------------------------------+ | admin_state_up | UP | | allowed_address_pairs | | | binding_host_id | None | | binding_profile | None | | binding_vif_details | None | | binding_vif_type | None | | binding_vnic_type | normal | | created_at | 2019-06-19T18:28:49Z | | data_plane_status | None | | description | | | device_id | | | device_owner | | | dns_assignment | None | | dns_domain | None | | dns_name | None | | extra_dhcp_opts | | | fixed_ips | ip_address='10.0.100.15', subnet_id='c00f565b-e4eb-4bf5-852c-8a22b95911fa' | | id | 7fe12e20-0e2c-4801-9742-da2eeef63f43 | | mac_address | fa:16:3e:99:6e:6b | | name | portx11 | | network_id | 8961329b-08a2-4c7c-88cf-b5cca43ca678 | | port_security_enabled | True | | project_id | ba08ccc271614bf1add0902f73690bac | | qos_policy_id | None | | revision_number | 2 | | security_group_ids | 063f4f88-24f8-442d-b1b4-d0f9e5bc4f9b | | status | DOWN | | tags | | | trunk_details | None | | updated_at | 2019-06-19T18:28:49Z | +-----------------------+----------------------------------------------------------------------------+ Expected result is that the port with fixed IP should be created following the policy. Even though rule:shared should be honored, the policy is intepreted within an admin context where the network looks like shared = False. Description is similar to an older bug: - https://bugs.launchpad.net/neutron/+bug/1543756 To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1833455/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp