Re: [openstack-dev] [neutron] Limitation of permissions on modification some resources

[Andrey Epifanov]

Thank you Mark for the answer.

andrey

On 29.09.2014 18:31, Mark McClain wrote:


On Sep 29, 2014, at 7:09 AM, Andrey Epifanov > wrote:



Hi All,

I started working on the the 
https://bugs.launchpad.net/neutron/+bug/1339028
and realized that we have the same issue with other connected 
resources in Neutron.


The is a bug in how we’re implementing the logic to manage routes on 
the router instance in the l3-agent implementation.  There are other 
implementations of the logical router that do not need this restriction.




The problem is that we have API for the modification of any resources 
without
limitations, for example, we can modify Router IP and connected to 
this subnet
VMs never will know about it and lose the default router. The same 
situation

with routes and IP for DHCP/DNS ports.

https://bugs.launchpad.net/neutron/+bug/1374398
https://bugs.launchpad.net/neutron/+bug/1267310


I don’t see any of these as a bug.  If tenant wants to make changes to 
their network (even ill advised ones), we should allow it. 
 Restricting these API operations to admin’s means we’re inhibiting 
users from making changes that could be regular maintenance operations 
of a tenant.


mark



___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev





___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [neutron] Limitation of permissions on modification some resources

[Mark McClain]

On Sep 29, 2014, at 7:09 AM, Andrey Epifanov  wrote:

> Hi All,
> 
> I started working on the the https://bugs.launchpad.net/neutron/+bug/1339028
> and realized that we have the same issue with other connected resources in 
> Neutron.

The is a bug in how we’re implementing the logic to manage routes on the router 
instance in the l3-agent implementation.  There are other implementations of 
the logical router that do not need this restriction. 

> 
> The problem is that we have API for the modification of any resources without
> limitations, for example, we can modify Router IP and connected to this subnet
> VMs never will know about it and lose the default router. The same situation
> with routes and IP for DHCP/DNS ports.
>  
> https://bugs.launchpad.net/neutron/+bug/1374398
> https://bugs.launchpad.net/neutron/+bug/1267310

I don’t see any of these as a bug.  If tenant wants to make changes to their 
network (even ill advised ones), we should allow it.  Restricting these API 
operations to admin’s means we’re inhibiting users from making changes that 
could be regular maintenance operations of a tenant.

mark

___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [neutron] Limitation of permissions on modification some resources

[Andrey Epifanov]

Hi All,

I started working on the the https://bugs.launchpad.net/neutron/+bug/1339028
and realized that we have the same issue with other connected resources 
in Neutron.


The problem is that we have API for the modification of any resources 
without
limitations, for example, we can modify Router IP and connected to this 
subnet

VMs never will know about it and lose the default router. The same situation
with routes and IP for DHCP/DNS ports.

https://bugs.launchpad.net/neutron/+bug/1374398
https://bugs.launchpad.net/neutron/+bug/1267310

So, we need to have common approach for the resolving these issues.

Solution might be  the following:
- To deny any modification of resources that were created and
   configured automatically during usual operations.
- To provide modification permissions only to admin.

What is your opinion?

/Thanks and Best Regards,
Andrey./
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev