[Yahoo-eng-team] [Bug 2075529] [NEW] Unable to delete "access_as_shared" RBAC policy

Mon, 05 Aug 2024 10:59:59 -0700 

Public bug reported:

I encounter a very strange behavior when I try to add and delete the 
"access_as_shared" RBAC policy.
I can add it successfully, but the subsequent delete doesn't work:

openstack network rbac create ...   # SUCCESS
openstack network rbac delete $ID   # FAIL

Pre-requirements:
- The network is external.
- There is a floating IP or router in the network.

Here is a demo:

Creating an external network and a Floating IP address:

[root@devoct30 ~]# openstack network create net0 --external -c id -f value
9e3285c5-6034-4851-bd72-02d24f5e3f98
[root@devoct30 ~]# openstack subnet create sub --network net0 --subnet-range 
192.168.100.0/24 --no-dhcp
[root@devoct30 ~]# openstack floating ip create net0
[root@devoct30 ~]# openstack network rbac list --long
+--------------------------------------+-------------+--------------------------------------+--------------------+
| ID                                   | Object Type | Object ID                
            | Action             |
+--------------------------------------+-------------+--------------------------------------+--------------------+
| 324163f7-b79f-493e-a78d-58da0990830e | network     | 
9e3285c5-6034-4851-bd72-02d24f5e3f98 | access_as_external |
+--------------------------------------+-------------+--------------------------------------+--------------------+
[root@devoct30 ~]#


Adding the "access_as_shared" RBAC policy and trying to delete it:

[root@devoct30 ~]# openstack network rbac create 
9e3285c5-6034-4851-bd72-02d24f5e3f98 --type  network --action access_as_shared 
--target-all-projects
+-------------------+--------------------------------------+
| Field             | Value                                |
+-------------------+--------------------------------------+
| action            | access_as_shared                     |
| id                | 4eff94d8-f872-41b3-b3ce-71cdcb40d2e6 |
| object_id         | 9e3285c5-6034-4851-bd72-02d24f5e3f98 |
| object_type       | network                              |
| project_id        | af61bf69ee0a4a7db97d2dd640d967c2     |
| target_project_id | *                                    |
+-------------------+--------------------------------------+
[root@devoct30 ~]# openstack network rbac list --long
+--------------------------------------+-------------+--------------------------------------+--------------------+
| ID                                   | Object Type | Object ID                
            | Action             |
+--------------------------------------+-------------+--------------------------------------+--------------------+
| 324163f7-b79f-493e-a78d-58da0990830e | network     | 
9e3285c5-6034-4851-bd72-02d24f5e3f98 | access_as_external |
| 4eff94d8-f872-41b3-b3ce-71cdcb40d2e6 | network     | 
9e3285c5-6034-4851-bd72-02d24f5e3f98 | access_as_shared   |
+--------------------------------------+-------------+--------------------------------------+--------------------+
[root@devoct30 ~]#
[root@devoct30 ~]# openstack network rbac delete 
4eff94d8-f872-41b3-b3ce-71cdcb40d2e6
Failed to delete RBAC policy with ID '4eff94d8-f872-41b3-b3ce-71cdcb40d2e6': 
ConflictException: 409: Client Error for url: 
http://10.136.19.166:9696/networking/v2.0/rbac-policies/4eff94d8-f872-41b3-b3ce-71cdcb40d2e6,
 RBAC policy on object 9e3285c5-6034-4851-bd72-02d24f5e3f98 cannot be removed 
because other objects depend on it.
Details: Callback 
neutron.plugins.ml2.plugin.NeutronDbPluginV2.validate_network_rbac_policy_change-3919969
 failed with "Unable to reconfigure sharing settings for network 
9e3285c5-6034-4851-bd72-02d24f5e3f98. Multiple tenants are using it.",Callback 
neutron.services.network_ip_availability.plugin.NeutronDbPluginV2.validate_network_rbac_policy_change-999219
 failed with "Unable to reconfigure sharing settings for network 
9e3285c5-6034-4851-bd72-02d24f5e3f98. Multiple tenants are using it.",Callback 
neutron.services.network_ip_availability.plugin.NeutronDbPluginV2.validate_network_rbac_policy_change-994607
 failed with "Unable to reconfigure sharing settings for network 
9e3285c5-6034-4851-bd72-02d24f5e3f98. Multiple tenants are using it."
1 of 1 RBAC policies failed to delete.
[root@devoct30 ~]#


Environment:
single devstack installation from master branch

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2075529

Title:
  Unable to delete "access_as_shared" RBAC policy

Status in neutron:
  New

Bug description:
  I encounter a very strange behavior when I try to add and delete the 
"access_as_shared" RBAC policy.
  I can add it successfully, but the subsequent delete doesn't work:

  openstack network rbac create ...   # SUCCESS
  openstack network rbac delete $ID   # FAIL

  Pre-requirements:
  - The network is external.
  - There is a floating IP or router in the network.

  Here is a demo:

  Creating an external network and a Floating IP address:

  [root@devoct30 ~]# openstack network create net0 --external -c id -f value
  9e3285c5-6034-4851-bd72-02d24f5e3f98
  [root@devoct30 ~]# openstack subnet create sub --network net0 --subnet-range 
192.168.100.0/24 --no-dhcp
  [root@devoct30 ~]# openstack floating ip create net0
  [root@devoct30 ~]# openstack network rbac list --long
  
+--------------------------------------+-------------+--------------------------------------+--------------------+
  | ID                                   | Object Type | Object ID              
              | Action             |
  
+--------------------------------------+-------------+--------------------------------------+--------------------+
  | 324163f7-b79f-493e-a78d-58da0990830e | network     | 
9e3285c5-6034-4851-bd72-02d24f5e3f98 | access_as_external |
  
+--------------------------------------+-------------+--------------------------------------+--------------------+
  [root@devoct30 ~]#

  
  Adding the "access_as_shared" RBAC policy and trying to delete it:

  [root@devoct30 ~]# openstack network rbac create 
9e3285c5-6034-4851-bd72-02d24f5e3f98 --type  network --action access_as_shared 
--target-all-projects
  +-------------------+--------------------------------------+
  | Field             | Value                                |
  +-------------------+--------------------------------------+
  | action            | access_as_shared                     |
  | id                | 4eff94d8-f872-41b3-b3ce-71cdcb40d2e6 |
  | object_id         | 9e3285c5-6034-4851-bd72-02d24f5e3f98 |
  | object_type       | network                              |
  | project_id        | af61bf69ee0a4a7db97d2dd640d967c2     |
  | target_project_id | *                                    |
  +-------------------+--------------------------------------+
  [root@devoct30 ~]# openstack network rbac list --long
  
+--------------------------------------+-------------+--------------------------------------+--------------------+
  | ID                                   | Object Type | Object ID              
              | Action             |
  
+--------------------------------------+-------------+--------------------------------------+--------------------+
  | 324163f7-b79f-493e-a78d-58da0990830e | network     | 
9e3285c5-6034-4851-bd72-02d24f5e3f98 | access_as_external |
  | 4eff94d8-f872-41b3-b3ce-71cdcb40d2e6 | network     | 
9e3285c5-6034-4851-bd72-02d24f5e3f98 | access_as_shared   |
  
+--------------------------------------+-------------+--------------------------------------+--------------------+
  [root@devoct30 ~]#
  [root@devoct30 ~]# openstack network rbac delete 
4eff94d8-f872-41b3-b3ce-71cdcb40d2e6
  Failed to delete RBAC policy with ID '4eff94d8-f872-41b3-b3ce-71cdcb40d2e6': 
ConflictException: 409: Client Error for url: 
http://10.136.19.166:9696/networking/v2.0/rbac-policies/4eff94d8-f872-41b3-b3ce-71cdcb40d2e6,
 RBAC policy on object 9e3285c5-6034-4851-bd72-02d24f5e3f98 cannot be removed 
because other objects depend on it.
  Details: Callback 
neutron.plugins.ml2.plugin.NeutronDbPluginV2.validate_network_rbac_policy_change-3919969
 failed with "Unable to reconfigure sharing settings for network 
9e3285c5-6034-4851-bd72-02d24f5e3f98. Multiple tenants are using it.",Callback 
neutron.services.network_ip_availability.plugin.NeutronDbPluginV2.validate_network_rbac_policy_change-999219
 failed with "Unable to reconfigure sharing settings for network 
9e3285c5-6034-4851-bd72-02d24f5e3f98. Multiple tenants are using it.",Callback 
neutron.services.network_ip_availability.plugin.NeutronDbPluginV2.validate_network_rbac_policy_change-994607
 failed with "Unable to reconfigure sharing settings for network 
9e3285c5-6034-4851-bd72-02d24f5e3f98. Multiple tenants are using it."
  1 of 1 RBAC policies failed to delete.
  [root@devoct30 ~]#

  
  Environment:
  single devstack installation from master branch

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2075529/+subscriptions


-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to