Public bug reported: On an admin tenant, with an admin user, I created an external network. This automatically creates and "access_as_external" action RBAC policy with "*" value for "target_tenant" attribute.
I deleted this RBAC policy and manually create a new one with two tenants IDs in the "target_tenant field". $ openstack project list +----------------------------------+----------+ | ID | Name | +----------------------------------+----------+ | 1cdeee0a38b943859f23750a651db12c | demo | | 8d3f62906c3949e4a2832df2b86c71e8 | services | | a654338c862f401a8665c3fbed289a75 | admin | | b0dc258dd3204bf99750589d1ed23996 | tenantA | <-------- +----------------------------------+----------+ $ neutron rbac-create admin-ext --action access_as_external --target-tenant a654338c862f401a8665c3fbed289a75,b0dc258dd3204bf99750589d1ed23996 --type network Created a new rbac_policy: +---------------+-------------------------------------------------------------------+ | Field | Value | +---------------+-------------------------------------------------------------------+ | action | access_as_external | | id | 3fc0bc16-685e-431a-8460-85ad5f8c3d96 | | object_id | 1f2405cd-90ab-439c-9061-e99d9c6c7a35 | | object_type | network | | target_tenant | a654338c862f401a8665c3fbed289a75,b0dc258dd3204bf99750589d1ed23996 | | tenant_id | a654338c862f401a8665c3fbed289a75 | +---------------+-------------------------------------------------------------------+ $ . keystonerc_tenantA $ neutron net-list <---- we should see the network $ Reproduction: 1. create external network. 2. delete its "access_as_external" rbac policy 3. Create a new rbac policy : neutron rbac-create EXT_NET_ID --action access_as_external --target-tenant TENANT_ID1,TENANT_ID2 --type network Version: Mitaka on thel 7.2 $rpm -qa | grep neutron python-neutron-lib-0.0.2-1.el7.noarch openstack-neutron-openvswitch-8.0.0-1.el7.noarch openstack-neutron-8.0.0-1.el7.noarch python-neutronclient-4.1.1-2.el7.noarch python-neutron-8.0.0-1.el7.noarch openstack-neutron-metering-agent-8.0.0-1.el7.noarch openstack-neutron-ml2-8.0.0-1.el7.noarch openstack-neutron-common-8.0.0-1.el7.noarch packstack installation All In One ** Affects: neutron Importance: Undecided Status: New ** Description changed: On an admin tenant, with an admin user, I created an external network. This automatically creates and "access_as_external" action RBAC policy with "*" value for "target_tenant" attribute. I deleted this RBAC policy and manually create a new one with two tenants IDs in the "target_tenant field". - $ openstack project list +----------------------------------+----------+ | ID | Name | +----------------------------------+----------+ | 1cdeee0a38b943859f23750a651db12c | demo | | 8d3f62906c3949e4a2832df2b86c71e8 | services | | a654338c862f401a8665c3fbed289a75 | admin | | b0dc258dd3204bf99750589d1ed23996 | tenantA | <-------- +----------------------------------+----------+ - - $ neutron rbac-create admin-ext --action access_as_external --target-tenant a654338c862f401a8665c3fbed289a75,b0dc258dd3204bf99750589d1ed23996 --type network + $ neutron rbac-create admin-ext --action access_as_external --target-tenant a654338c862f401a8665c3fbed289a75,b0dc258dd3204bf99750589d1ed23996 --type network Created a new rbac_policy: +---------------+-------------------------------------------------------------------+ | Field | Value | +---------------+-------------------------------------------------------------------+ | action | access_as_external | | id | 3fc0bc16-685e-431a-8460-85ad5f8c3d96 | | object_id | 1f2405cd-90ab-439c-9061-e99d9c6c7a35 | | object_type | network | | target_tenant | a654338c862f401a8665c3fbed289a75,b0dc258dd3204bf99750589d1ed23996 | | tenant_id | a654338c862f401a8665c3fbed289a75 | +---------------+-------------------------------------------------------------------+ - - $ . keystonerc_tenantA + $ . keystonerc_tenantA $ neutron net-list - <---- we should see the network + <---- we should see the network $ + Reproduction: + 1. create external network. + 2. delete its "access_as_external" rbac policy + 3. Create a new rbac policy : + neutron rbac-create EXT_NET_ID --action access_as_external --target-tenant TENANT_ID1,TENANT_ID2 --type network - Reproduction: - 1. create external network. - 2. delete its "access_as_external" rbac policy - 3. Create a new rbac policy : - neutron rbac-create EXT_NET_ID --action access_as_external --target-tenant TENANT_ID1,TENANT_ID2 --type network + Version: + Mitaka on thel 7.2 - Version: - Mitaka on thel 7.2 + $rpm -qa | grep neutron + python-neutron-lib-0.0.2-1.el7.noarch + openstack-neutron-openvswitch-8.0.0-1.el7.noarch + openstack-neutron-8.0.0-1.el7.noarch + python-neutronclient-4.1.1-2.el7.noarch + python-neutron-8.0.0-1.el7.noarch + openstack-neutron-metering-agent-8.0.0-1.el7.noarch + openstack-neutron-ml2-8.0.0-1.el7.noarch + openstack-neutron-common-8.0.0-1.el7.noarch packstack installation All In One -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1577101 Title: RBAC "Access_as_external" multiple IDs in target_tenant Status in neutron: New Bug description: On an admin tenant, with an admin user, I created an external network. This automatically creates and "access_as_external" action RBAC policy with "*" value for "target_tenant" attribute. I deleted this RBAC policy and manually create a new one with two tenants IDs in the "target_tenant field". $ openstack project list +----------------------------------+----------+ | ID | Name | +----------------------------------+----------+ | 1cdeee0a38b943859f23750a651db12c | demo | | 8d3f62906c3949e4a2832df2b86c71e8 | services | | a654338c862f401a8665c3fbed289a75 | admin | | b0dc258dd3204bf99750589d1ed23996 | tenantA | <-------- +----------------------------------+----------+ $ neutron rbac-create admin-ext --action access_as_external --target-tenant a654338c862f401a8665c3fbed289a75,b0dc258dd3204bf99750589d1ed23996 --type network Created a new rbac_policy: +---------------+-------------------------------------------------------------------+ | Field | Value | +---------------+-------------------------------------------------------------------+ | action | access_as_external | | id | 3fc0bc16-685e-431a-8460-85ad5f8c3d96 | | object_id | 1f2405cd-90ab-439c-9061-e99d9c6c7a35 | | object_type | network | | target_tenant | a654338c862f401a8665c3fbed289a75,b0dc258dd3204bf99750589d1ed23996 | | tenant_id | a654338c862f401a8665c3fbed289a75 | +---------------+-------------------------------------------------------------------+ $ . keystonerc_tenantA $ neutron net-list <---- we should see the network $ Reproduction: 1. create external network. 2. delete its "access_as_external" rbac policy 3. Create a new rbac policy : neutron rbac-create EXT_NET_ID --action access_as_external --target-tenant TENANT_ID1,TENANT_ID2 --type network Version: Mitaka on thel 7.2 $rpm -qa | grep neutron python-neutron-lib-0.0.2-1.el7.noarch openstack-neutron-openvswitch-8.0.0-1.el7.noarch openstack-neutron-8.0.0-1.el7.noarch python-neutronclient-4.1.1-2.el7.noarch python-neutron-8.0.0-1.el7.noarch openstack-neutron-metering-agent-8.0.0-1.el7.noarch openstack-neutron-ml2-8.0.0-1.el7.noarch openstack-neutron-common-8.0.0-1.el7.noarch packstack installation All In One To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1577101/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp