Re: [openstack-dev] [neutron] - port-create with network from a different tenant does not fail
Ohk, a hacky way to share network across specific tenants. Cool, thanks Kevin. - Varun From: Kevin Benton mailto:blak...@gmail.com>> Reply-To: "OpenStack Development Mailing List (not for usage questions)" mailto:openstack-dev@lists.openstack.org>> Date: Tuesday, February 10, 2015 at 3:06 PM To: "OpenStack Development Mailing List (not for usage questions)" mailto:openstack-dev@lists.openstack.org>> Subject: Re: [openstack-dev] [neutron] - port-create with network from a different tenant does not fail Unfortunately shared networks right now have no fine-grained control so every single tenant can attach to a network once it is marked as shared. So if you have one tenant who wants to have another tenant attach a few servers to his/her network, the only choice is to have the admin do it via the operation you described above. On Tue, Feb 10, 2015 at 2:53 PM, Varun Lodaya mailto:varun_lod...@symantec.com>> wrote: Hey Kevin, Thanks for the quick response. But any particular use-case where we would need port/network from different tenants unless it’s a shared network? Thanks, Varun From: Kevin Benton mailto:blak...@gmail.com>> Reply-To: "OpenStack Development Mailing List (not for usage questions)" mailto:openstack-dev@lists.openstack.org>> Date: Tuesday, February 10, 2015 at 2:33 PM To: "OpenStack Development Mailing List (not for usage questions)" mailto:openstack-dev@lists.openstack.org>> Subject: Re: [openstack-dev] [neutron] - port-create with network from a different tenant does not fail You can have ports from different tenants in a network. It's an admin-only capability unless the network is marked as "shared". On Tue, Feb 10, 2015 at 2:30 PM, Varun Lodaya mailto:varun_lod...@symantec.com>> wrote: Adding the right subject line. From: Varun Lodaya mailto:varun_lod...@symantec.com>> Date: Tuesday, February 10, 2015 at 2:26 PM To: "OpenStack Development Mailing List (not for usage questions)" mailto:openstack-dev@lists.openstack.org>> Subject: port-create with network from a different tenant does not fail Hi, We were seeing this issue where if the user role is admin in 2 tenants A and B and he issues neutron port-create in tenant A where is in tenant B, it ends up creating that port. Ideally, it should have failed since you cannot have the port/network in different tenants. varunlodaya@ubuntu:~/devstack$ neutron port-show fc6917ea-0c0c-4ec5-9202-4441701c9984 +---+--+ | Field | Value | +---+--+ | admin_state_up| True | | allowed_address_pairs | | | binding:host_id | | | binding:profile | {} | | binding:vif_details | {} | | binding:vif_type | unbound | | binding:vnic_type | normal | | device_id | | | device_owner | | | extra_dhcp_opts | | | fixed_ips | {"subnet_id": "8c9f5682-daf8-40e1-9b6a-57cfed7f024c", "ip_address": "10.1.1.13"} | | id| fc6917ea-0c0c-4ec5-9202-4441701c9984 | | mac_address | fa:16:3e:18:6e:95 | | name | | | network_id| 0036a345-35ea-42c8-a66c-f9831d0a03a5 | | security_groups | 45786089-d53f-4eec-8be6-cb49766e55c1 | | status| DOWN | | tenant_id | d0d1e6e21268418bb0adcea413a3 | +---+
Re: [openstack-dev] [neutron] - port-create with network from a different tenant does not fail
Unfortunately shared networks right now have no fine-grained control so every single tenant can attach to a network once it is marked as shared. So if you have one tenant who wants to have another tenant attach a few servers to his/her network, the only choice is to have the admin do it via the operation you described above. On Tue, Feb 10, 2015 at 2:53 PM, Varun Lodaya wrote: > Hey Kevin, > > Thanks for the quick response. But any particular use-case where we would > need port/network from different tenants unless it’s a shared network? > > Thanks, > Varun > > From: Kevin Benton > Reply-To: "OpenStack Development Mailing List (not for usage questions)" < > openstack-dev@lists.openstack.org> > Date: Tuesday, February 10, 2015 at 2:33 PM > To: "OpenStack Development Mailing List (not for usage questions)" < > openstack-dev@lists.openstack.org> > Subject: Re: [openstack-dev] [neutron] - port-create with network from a > different tenant does not fail > > You can have ports from different tenants in a network. It's an admin-only > capability unless the network is marked as "shared". > > On Tue, Feb 10, 2015 at 2:30 PM, Varun Lodaya > wrote: > >> Adding the right subject line. >> >> From: Varun Lodaya >> Date: Tuesday, February 10, 2015 at 2:26 PM >> To: "OpenStack Development Mailing List (not for usage questions)" < >> openstack-dev@lists.openstack.org> >> Subject: port-create with network from a different tenant does not fail >> >> Hi, >> >> We were seeing this issue where if the user role is admin in 2 tenants A >> and B and he issues neutron port-create in tenant A where >> is in tenant B, it ends up creating that port. Ideally, it >> should have failed since you cannot have the port/network in different >> tenants. >> >> varunlodaya@ubuntu:~/devstack$ neutron port-show >> fc6917ea-0c0c-4ec5-9202-4441701c9984 >> >> +---+--+ >> | Field | Value >> | >> >> +---+--+ >> | admin_state_up| True >> | >> | allowed_address_pairs | >> | >> | binding:host_id | >> | >> | binding:profile | {} >> | >> | binding:vif_details | {} >> | >> | binding:vif_type | unbound >> | >> | binding:vnic_type | normal >> | >> | device_id | >> | >> | device_owner | >> | >> | extra_dhcp_opts | >> | >> | fixed_ips | {"subnet_id": >> "8c9f5682-daf8-40e1-9b6a-57cfed7f024c", "ip_address": "10.1.1.13"} | >> | id| fc6917ea-0c0c-4ec5-9202-4441701c9984 >> | >> | mac_address | fa:16:3e:18:6e:95 >> | >> | name | >> | >> | network_id| 0036a345-35ea-42c8-a66c-f9831d0a03a5 >> | >> | security_groups | 45786089-d53f-4eec-8be6-cb49766e55c1 >> | >> | status| DOWN >> | >> | tenant_id | d0d1e6e21268418bb0adcea413a3 >> | >> >> +---+--+ >> varunlodaya@ubuntu:~/devstack$ neutron net-show >> 0036a345-35ea-42c8-a66c-f9831d0a03a5 >> +---+--+ >> | Field | Value| >> +---+--+ >> | admin_state_up| True | >> | id| 0036a345-35ea-42c8-a66c-f9831d0a03a5 | >> | name | alt_private | >> | provider:network_type | vxlan| >> | provider:physical_network | | >
Re: [openstack-dev] [neutron] - port-create with network from a different tenant does not fail
Hey Kevin, Thanks for the quick response. But any particular use-case where we would need port/network from different tenants unless it’s a shared network? Thanks, Varun From: Kevin Benton mailto:blak...@gmail.com>> Reply-To: "OpenStack Development Mailing List (not for usage questions)" mailto:openstack-dev@lists.openstack.org>> Date: Tuesday, February 10, 2015 at 2:33 PM To: "OpenStack Development Mailing List (not for usage questions)" mailto:openstack-dev@lists.openstack.org>> Subject: Re: [openstack-dev] [neutron] - port-create with network from a different tenant does not fail You can have ports from different tenants in a network. It's an admin-only capability unless the network is marked as "shared". On Tue, Feb 10, 2015 at 2:30 PM, Varun Lodaya mailto:varun_lod...@symantec.com>> wrote: Adding the right subject line. From: Varun Lodaya mailto:varun_lod...@symantec.com>> Date: Tuesday, February 10, 2015 at 2:26 PM To: "OpenStack Development Mailing List (not for usage questions)" mailto:openstack-dev@lists.openstack.org>> Subject: port-create with network from a different tenant does not fail Hi, We were seeing this issue where if the user role is admin in 2 tenants A and B and he issues neutron port-create in tenant A where is in tenant B, it ends up creating that port. Ideally, it should have failed since you cannot have the port/network in different tenants. varunlodaya@ubuntu:~/devstack$ neutron port-show fc6917ea-0c0c-4ec5-9202-4441701c9984 +---+--+ | Field | Value | +---+--+ | admin_state_up| True | | allowed_address_pairs | | | binding:host_id | | | binding:profile | {} | | binding:vif_details | {} | | binding:vif_type | unbound | | binding:vnic_type | normal | | device_id | | | device_owner | | | extra_dhcp_opts | | | fixed_ips | {"subnet_id": "8c9f5682-daf8-40e1-9b6a-57cfed7f024c", "ip_address": "10.1.1.13"} | | id| fc6917ea-0c0c-4ec5-9202-4441701c9984 | | mac_address | fa:16:3e:18:6e:95 | | name | | | network_id| 0036a345-35ea-42c8-a66c-f9831d0a03a5 | | security_groups | 45786089-d53f-4eec-8be6-cb49766e55c1 | | status| DOWN | | tenant_id | d0d1e6e21268418bb0adcea413a3 | +---+--+ varunlodaya@ubuntu:~/devstack$ neutron net-show 0036a345-35ea-42c8-a66c-f9831d0a03a5 +---+--+ | Field | Value| +---+--+ | admin_state_up| True | | id| 0036a345-35ea-42c8-a66c-f9831d0a03a5 | | name | alt_private | | provider:network_type | vxlan| | provider:physical_network | | | provider:segmentation_id | 1003 | | router:external | False| | shared| False| | status| ACTIVE | | subnets
Re: [openstack-dev] [neutron] - port-create with network from a different tenant does not fail
You can have ports from different tenants in a network. It's an admin-only capability unless the network is marked as "shared". On Tue, Feb 10, 2015 at 2:30 PM, Varun Lodaya wrote: > Adding the right subject line. > > From: Varun Lodaya > Date: Tuesday, February 10, 2015 at 2:26 PM > To: "OpenStack Development Mailing List (not for usage questions)" < > openstack-dev@lists.openstack.org> > Subject: port-create with network from a different tenant does not fail > > Hi, > > We were seeing this issue where if the user role is admin in 2 tenants A > and B and he issues neutron port-create in tenant A where > is in tenant B, it ends up creating that port. Ideally, it > should have failed since you cannot have the port/network in different > tenants. > > varunlodaya@ubuntu:~/devstack$ neutron port-show > fc6917ea-0c0c-4ec5-9202-4441701c9984 > > +---+--+ > | Field | Value > | > > +---+--+ > | admin_state_up| True > | > | allowed_address_pairs | > | > | binding:host_id | > | > | binding:profile | {} > | > | binding:vif_details | {} > | > | binding:vif_type | unbound > | > | binding:vnic_type | normal > | > | device_id | > | > | device_owner | > | > | extra_dhcp_opts | > | > | fixed_ips | {"subnet_id": > "8c9f5682-daf8-40e1-9b6a-57cfed7f024c", "ip_address": "10.1.1.13"} | > | id| fc6917ea-0c0c-4ec5-9202-4441701c9984 > | > | mac_address | fa:16:3e:18:6e:95 > | > | name | > | > | network_id| 0036a345-35ea-42c8-a66c-f9831d0a03a5 > | > | security_groups | 45786089-d53f-4eec-8be6-cb49766e55c1 > | > | status| DOWN > | > | tenant_id | d0d1e6e21268418bb0adcea413a3 > | > > +---+--+ > varunlodaya@ubuntu:~/devstack$ neutron net-show > 0036a345-35ea-42c8-a66c-f9831d0a03a5 > +---+--+ > | Field | Value| > +---+--+ > | admin_state_up| True | > | id| 0036a345-35ea-42c8-a66c-f9831d0a03a5 | > | name | alt_private | > | provider:network_type | vxlan| > | provider:physical_network | | > | provider:segmentation_id | 1003 | > | router:external | False| > | shared| False| > | status| ACTIVE | > | subnets | 8c9f5682-daf8-40e1-9b6a-57cfed7f024c | > | tenant_id | 099bfd6e59434b51a479ab7142ff01df | > +---+--+ > varunlodaya@ubuntu:~/devstack$ > > > Is this an expected behavior or a known bug? Should I create a new one? > > Thanks, > Varun > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -- Kevin Benton __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [neutron] - port-create with network from a different tenant does not fail
Adding the right subject line. From: Varun Lodaya mailto:varun_lod...@symantec.com>> Date: Tuesday, February 10, 2015 at 2:26 PM To: "OpenStack Development Mailing List (not for usage questions)" mailto:openstack-dev@lists.openstack.org>> Subject: port-create with network from a different tenant does not fail Hi, We were seeing this issue where if the user role is admin in 2 tenants A and B and he issues neutron port-create in tenant A where is in tenant B, it ends up creating that port. Ideally, it should have failed since you cannot have the port/network in different tenants. varunlodaya@ubuntu:~/devstack$ neutron port-show fc6917ea-0c0c-4ec5-9202-4441701c9984 +---+--+ | Field | Value | +---+--+ | admin_state_up| True | | allowed_address_pairs | | | binding:host_id | | | binding:profile | {} | | binding:vif_details | {} | | binding:vif_type | unbound | | binding:vnic_type | normal | | device_id | | | device_owner | | | extra_dhcp_opts | | | fixed_ips | {"subnet_id": "8c9f5682-daf8-40e1-9b6a-57cfed7f024c", "ip_address": "10.1.1.13"} | | id| fc6917ea-0c0c-4ec5-9202-4441701c9984 | | mac_address | fa:16:3e:18:6e:95 | | name | | | network_id| 0036a345-35ea-42c8-a66c-f9831d0a03a5 | | security_groups | 45786089-d53f-4eec-8be6-cb49766e55c1 | | status| DOWN | | tenant_id | d0d1e6e21268418bb0adcea413a3 | +---+--+ varunlodaya@ubuntu:~/devstack$ neutron net-show 0036a345-35ea-42c8-a66c-f9831d0a03a5 +---+--+ | Field | Value| +---+--+ | admin_state_up| True | | id| 0036a345-35ea-42c8-a66c-f9831d0a03a5 | | name | alt_private | | provider:network_type | vxlan| | provider:physical_network | | | provider:segmentation_id | 1003 | | router:external | False| | shared| False| | status| ACTIVE | | subnets | 8c9f5682-daf8-40e1-9b6a-57cfed7f024c | | tenant_id | 099bfd6e59434b51a479ab7142ff01df | +---+--+ varunlodaya@ubuntu:~/devstack$ Is this an expected behavior or a known bug? Should I create a new one? Thanks, Varun __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev