Re: [openstack-dev] [neutron] - port-create with network from a different tenant does not fail
Ohk, a hacky way to share network across specific tenants. Cool, thanks Kevin.
- Varun
From: Kevin Benton mailto:blak...@gmail.com>>
Reply-To: "OpenStack Development Mailing List (not for usage questions)"
mailto:openstack-dev@lists.openstack.org>>
Date: Tuesday, February 10, 2015 at 3:06 PM
To: "OpenStack Development Mailing List (not for usage questions)"
mailto:openstack-dev@lists.openstack.org>>
Subject: Re: [openstack-dev] [neutron] - port-create with network from a
different tenant does not fail
Unfortunately shared networks right now have no fine-grained control so every
single tenant can attach to a network once it is marked as shared. So if you
have one tenant who wants to have another tenant attach a few servers to
his/her network, the only choice is to have the admin do it via the operation
you described above.
On Tue, Feb 10, 2015 at 2:53 PM, Varun Lodaya
mailto:varun_lod...@symantec.com>> wrote:
Hey Kevin,
Thanks for the quick response. But any particular use-case where we would need
port/network from different tenants unless it’s a shared network?
Thanks,
Varun
From: Kevin Benton mailto:blak...@gmail.com>>
Reply-To: "OpenStack Development Mailing List (not for usage questions)"
mailto:openstack-dev@lists.openstack.org>>
Date: Tuesday, February 10, 2015 at 2:33 PM
To: "OpenStack Development Mailing List (not for usage questions)"
mailto:openstack-dev@lists.openstack.org>>
Subject: Re: [openstack-dev] [neutron] - port-create with network from a
different tenant does not fail
You can have ports from different tenants in a network. It's an admin-only
capability unless the network is marked as "shared".
On Tue, Feb 10, 2015 at 2:30 PM, Varun Lodaya
mailto:varun_lod...@symantec.com>> wrote:
Adding the right subject line.
From: Varun Lodaya mailto:varun_lod...@symantec.com>>
Date: Tuesday, February 10, 2015 at 2:26 PM
To: "OpenStack Development Mailing List (not for usage questions)"
mailto:openstack-dev@lists.openstack.org>>
Subject: port-create with network from a different tenant does not fail
Hi,
We were seeing this issue where if the user role is admin in 2 tenants A and B
and he issues neutron port-create in tenant A where
is in tenant B, it ends up creating that port. Ideally, it should have failed
since you cannot have the port/network in different tenants.
varunlodaya@ubuntu:~/devstack$ neutron port-show
fc6917ea-0c0c-4ec5-9202-4441701c9984
+---+--+
| Field | Value
|
+---+--+
| admin_state_up| True
|
| allowed_address_pairs |
|
| binding:host_id |
|
| binding:profile | {}
|
| binding:vif_details | {}
|
| binding:vif_type | unbound
|
| binding:vnic_type | normal
|
| device_id |
|
| device_owner |
|
| extra_dhcp_opts |
|
| fixed_ips | {"subnet_id": "8c9f5682-daf8-40e1-9b6a-57cfed7f024c",
"ip_address": "10.1.1.13"} |
| id| fc6917ea-0c0c-4ec5-9202-4441701c9984
|
| mac_address | fa:16:3e:18:6e:95
|
| name |
|
| network_id| 0036a345-35ea-42c8-a66c-f9831d0a03a5
|
| security_groups | 45786089-d53f-4eec-8be6-cb49766e55c1
|
| status| DOWN
|
| tenant_id | d0d1e6e21268418bb0adcea413a3
|
+---+
Re: [openstack-dev] [neutron] - port-create with network from a different tenant does not fail
Unfortunately shared networks right now have no fine-grained control so
every single tenant can attach to a network once it is marked as shared. So
if you have one tenant who wants to have another tenant attach a few
servers to his/her network, the only choice is to have the admin do it via
the operation you described above.
On Tue, Feb 10, 2015 at 2:53 PM, Varun Lodaya
wrote:
> Hey Kevin,
>
> Thanks for the quick response. But any particular use-case where we would
> need port/network from different tenants unless it’s a shared network?
>
> Thanks,
> Varun
>
> From: Kevin Benton
> Reply-To: "OpenStack Development Mailing List (not for usage questions)" <
> openstack-dev@lists.openstack.org>
> Date: Tuesday, February 10, 2015 at 2:33 PM
> To: "OpenStack Development Mailing List (not for usage questions)" <
> openstack-dev@lists.openstack.org>
> Subject: Re: [openstack-dev] [neutron] - port-create with network from a
> different tenant does not fail
>
> You can have ports from different tenants in a network. It's an admin-only
> capability unless the network is marked as "shared".
>
> On Tue, Feb 10, 2015 at 2:30 PM, Varun Lodaya
> wrote:
>
>> Adding the right subject line.
>>
>> From: Varun Lodaya
>> Date: Tuesday, February 10, 2015 at 2:26 PM
>> To: "OpenStack Development Mailing List (not for usage questions)" <
>> openstack-dev@lists.openstack.org>
>> Subject: port-create with network from a different tenant does not fail
>>
>> Hi,
>>
>> We were seeing this issue where if the user role is admin in 2 tenants A
>> and B and he issues neutron port-create in tenant A where
>> is in tenant B, it ends up creating that port. Ideally, it
>> should have failed since you cannot have the port/network in different
>> tenants.
>>
>> varunlodaya@ubuntu:~/devstack$ neutron port-show
>> fc6917ea-0c0c-4ec5-9202-4441701c9984
>>
>> +---+--+
>> | Field | Value
>> |
>>
>> +---+--+
>> | admin_state_up| True
>> |
>> | allowed_address_pairs |
>> |
>> | binding:host_id |
>> |
>> | binding:profile | {}
>> |
>> | binding:vif_details | {}
>> |
>> | binding:vif_type | unbound
>> |
>> | binding:vnic_type | normal
>> |
>> | device_id |
>> |
>> | device_owner |
>> |
>> | extra_dhcp_opts |
>> |
>> | fixed_ips | {"subnet_id":
>> "8c9f5682-daf8-40e1-9b6a-57cfed7f024c", "ip_address": "10.1.1.13"} |
>> | id| fc6917ea-0c0c-4ec5-9202-4441701c9984
>> |
>> | mac_address | fa:16:3e:18:6e:95
>> |
>> | name |
>> |
>> | network_id| 0036a345-35ea-42c8-a66c-f9831d0a03a5
>> |
>> | security_groups | 45786089-d53f-4eec-8be6-cb49766e55c1
>> |
>> | status| DOWN
>> |
>> | tenant_id | d0d1e6e21268418bb0adcea413a3
>> |
>>
>> +---+--+
>> varunlodaya@ubuntu:~/devstack$ neutron net-show
>> 0036a345-35ea-42c8-a66c-f9831d0a03a5
>> +---+--+
>> | Field | Value|
>> +---+--+
>> | admin_state_up| True |
>> | id| 0036a345-35ea-42c8-a66c-f9831d0a03a5 |
>> | name | alt_private |
>> | provider:network_type | vxlan|
>> | provider:physical_network | |
>
Re: [openstack-dev] [neutron] - port-create with network from a different tenant does not fail
Hey Kevin,
Thanks for the quick response. But any particular use-case where we would need
port/network from different tenants unless it’s a shared network?
Thanks,
Varun
From: Kevin Benton mailto:blak...@gmail.com>>
Reply-To: "OpenStack Development Mailing List (not for usage questions)"
mailto:openstack-dev@lists.openstack.org>>
Date: Tuesday, February 10, 2015 at 2:33 PM
To: "OpenStack Development Mailing List (not for usage questions)"
mailto:openstack-dev@lists.openstack.org>>
Subject: Re: [openstack-dev] [neutron] - port-create with network from a
different tenant does not fail
You can have ports from different tenants in a network. It's an admin-only
capability unless the network is marked as "shared".
On Tue, Feb 10, 2015 at 2:30 PM, Varun Lodaya
mailto:varun_lod...@symantec.com>> wrote:
Adding the right subject line.
From: Varun Lodaya mailto:varun_lod...@symantec.com>>
Date: Tuesday, February 10, 2015 at 2:26 PM
To: "OpenStack Development Mailing List (not for usage questions)"
mailto:openstack-dev@lists.openstack.org>>
Subject: port-create with network from a different tenant does not fail
Hi,
We were seeing this issue where if the user role is admin in 2 tenants A and B
and he issues neutron port-create in tenant A where
is in tenant B, it ends up creating that port. Ideally, it should have failed
since you cannot have the port/network in different tenants.
varunlodaya@ubuntu:~/devstack$ neutron port-show
fc6917ea-0c0c-4ec5-9202-4441701c9984
+---+--+
| Field | Value
|
+---+--+
| admin_state_up| True
|
| allowed_address_pairs |
|
| binding:host_id |
|
| binding:profile | {}
|
| binding:vif_details | {}
|
| binding:vif_type | unbound
|
| binding:vnic_type | normal
|
| device_id |
|
| device_owner |
|
| extra_dhcp_opts |
|
| fixed_ips | {"subnet_id": "8c9f5682-daf8-40e1-9b6a-57cfed7f024c",
"ip_address": "10.1.1.13"} |
| id| fc6917ea-0c0c-4ec5-9202-4441701c9984
|
| mac_address | fa:16:3e:18:6e:95
|
| name |
|
| network_id| 0036a345-35ea-42c8-a66c-f9831d0a03a5
|
| security_groups | 45786089-d53f-4eec-8be6-cb49766e55c1
|
| status| DOWN
|
| tenant_id | d0d1e6e21268418bb0adcea413a3
|
+---+--+
varunlodaya@ubuntu:~/devstack$ neutron net-show
0036a345-35ea-42c8-a66c-f9831d0a03a5
+---+--+
| Field | Value|
+---+--+
| admin_state_up| True |
| id| 0036a345-35ea-42c8-a66c-f9831d0a03a5 |
| name | alt_private |
| provider:network_type | vxlan|
| provider:physical_network | |
| provider:segmentation_id | 1003 |
| router:external | False|
| shared| False|
| status| ACTIVE |
| subnets
Re: [openstack-dev] [neutron] - port-create with network from a different tenant does not fail
You can have ports from different tenants in a network. It's an admin-only
capability unless the network is marked as "shared".
On Tue, Feb 10, 2015 at 2:30 PM, Varun Lodaya
wrote:
> Adding the right subject line.
>
> From: Varun Lodaya
> Date: Tuesday, February 10, 2015 at 2:26 PM
> To: "OpenStack Development Mailing List (not for usage questions)" <
> openstack-dev@lists.openstack.org>
> Subject: port-create with network from a different tenant does not fail
>
> Hi,
>
> We were seeing this issue where if the user role is admin in 2 tenants A
> and B and he issues neutron port-create in tenant A where
> is in tenant B, it ends up creating that port. Ideally, it
> should have failed since you cannot have the port/network in different
> tenants.
>
> varunlodaya@ubuntu:~/devstack$ neutron port-show
> fc6917ea-0c0c-4ec5-9202-4441701c9984
>
> +---+--+
> | Field | Value
> |
>
> +---+--+
> | admin_state_up| True
> |
> | allowed_address_pairs |
> |
> | binding:host_id |
> |
> | binding:profile | {}
> |
> | binding:vif_details | {}
> |
> | binding:vif_type | unbound
> |
> | binding:vnic_type | normal
> |
> | device_id |
> |
> | device_owner |
> |
> | extra_dhcp_opts |
> |
> | fixed_ips | {"subnet_id":
> "8c9f5682-daf8-40e1-9b6a-57cfed7f024c", "ip_address": "10.1.1.13"} |
> | id| fc6917ea-0c0c-4ec5-9202-4441701c9984
> |
> | mac_address | fa:16:3e:18:6e:95
> |
> | name |
> |
> | network_id| 0036a345-35ea-42c8-a66c-f9831d0a03a5
> |
> | security_groups | 45786089-d53f-4eec-8be6-cb49766e55c1
> |
> | status| DOWN
> |
> | tenant_id | d0d1e6e21268418bb0adcea413a3
> |
>
> +---+--+
> varunlodaya@ubuntu:~/devstack$ neutron net-show
> 0036a345-35ea-42c8-a66c-f9831d0a03a5
> +---+--+
> | Field | Value|
> +---+--+
> | admin_state_up| True |
> | id| 0036a345-35ea-42c8-a66c-f9831d0a03a5 |
> | name | alt_private |
> | provider:network_type | vxlan|
> | provider:physical_network | |
> | provider:segmentation_id | 1003 |
> | router:external | False|
> | shared| False|
> | status| ACTIVE |
> | subnets | 8c9f5682-daf8-40e1-9b6a-57cfed7f024c |
> | tenant_id | 099bfd6e59434b51a479ab7142ff01df |
> +---+--+
> varunlodaya@ubuntu:~/devstack$
>
>
> Is this an expected behavior or a known bug? Should I create a new one?
>
> Thanks,
> Varun
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
--
Kevin Benton
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [neutron] - port-create with network from a different tenant does not fail
Adding the right subject line.
From: Varun Lodaya mailto:varun_lod...@symantec.com>>
Date: Tuesday, February 10, 2015 at 2:26 PM
To: "OpenStack Development Mailing List (not for usage questions)"
mailto:openstack-dev@lists.openstack.org>>
Subject: port-create with network from a different tenant does not fail
Hi,
We were seeing this issue where if the user role is admin in 2 tenants A and B
and he issues neutron port-create in tenant A where
is in tenant B, it ends up creating that port. Ideally, it should have failed
since you cannot have the port/network in different tenants.
varunlodaya@ubuntu:~/devstack$ neutron port-show
fc6917ea-0c0c-4ec5-9202-4441701c9984
+---+--+
| Field | Value
|
+---+--+
| admin_state_up| True
|
| allowed_address_pairs |
|
| binding:host_id |
|
| binding:profile | {}
|
| binding:vif_details | {}
|
| binding:vif_type | unbound
|
| binding:vnic_type | normal
|
| device_id |
|
| device_owner |
|
| extra_dhcp_opts |
|
| fixed_ips | {"subnet_id": "8c9f5682-daf8-40e1-9b6a-57cfed7f024c",
"ip_address": "10.1.1.13"} |
| id| fc6917ea-0c0c-4ec5-9202-4441701c9984
|
| mac_address | fa:16:3e:18:6e:95
|
| name |
|
| network_id| 0036a345-35ea-42c8-a66c-f9831d0a03a5
|
| security_groups | 45786089-d53f-4eec-8be6-cb49766e55c1
|
| status| DOWN
|
| tenant_id | d0d1e6e21268418bb0adcea413a3
|
+---+--+
varunlodaya@ubuntu:~/devstack$ neutron net-show
0036a345-35ea-42c8-a66c-f9831d0a03a5
+---+--+
| Field | Value|
+---+--+
| admin_state_up| True |
| id| 0036a345-35ea-42c8-a66c-f9831d0a03a5 |
| name | alt_private |
| provider:network_type | vxlan|
| provider:physical_network | |
| provider:segmentation_id | 1003 |
| router:external | False|
| shared| False|
| status| ACTIVE |
| subnets | 8c9f5682-daf8-40e1-9b6a-57cfed7f024c |
| tenant_id | 099bfd6e59434b51a479ab7142ff01df |
+---+--+
varunlodaya@ubuntu:~/devstack$
Is this an expected behavior or a known bug? Should I create a new one?
Thanks,
Varun
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
