Public bug reported: In neutron/db/l3_db.py:
def _internal_fip_assoc_data(self, context, fip, tenant_id): """Retrieve internal port data for floating IP. Retrieve information concerning the internal port where the floating IP should be associated to. """ internal_port = self._core_plugin.get_port(context, fip['port_id']) if internal_port['tenant_id'] != tenant_id and not context.is_admin: port_id = fip['port_id'] msg = (_('Cannot process floating IP association with ' 'Port %s, since that port is owned by a ' 'different tenant') % port_id) raise n_exc.BadRequest(resource='floatingip', msg=msg) This code does not allow operators to override the ability to assign floating IPs to ports on another tenant using RBAC policy. It also does not allow members of the advsvc role to take this action. This code should be fixed to use the standard neutron RBAC and allow the advsvc role to take this action. ** Affects: neutron Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1853637 Title: Assign floating IP to port owned by another tenant is not override- able with RBAC policy Status in neutron: New Bug description: In neutron/db/l3_db.py: def _internal_fip_assoc_data(self, context, fip, tenant_id): """Retrieve internal port data for floating IP. Retrieve information concerning the internal port where the floating IP should be associated to. """ internal_port = self._core_plugin.get_port(context, fip['port_id']) if internal_port['tenant_id'] != tenant_id and not context.is_admin: port_id = fip['port_id'] msg = (_('Cannot process floating IP association with ' 'Port %s, since that port is owned by a ' 'different tenant') % port_id) raise n_exc.BadRequest(resource='floatingip', msg=msg) This code does not allow operators to override the ability to assign floating IPs to ports on another tenant using RBAC policy. It also does not allow members of the advsvc role to take this action. This code should be fixed to use the standard neutron RBAC and allow the advsvc role to take this action. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1853637/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp