Yes, for an existing objects, you can share it through object level rbac. You still need to have appropriate API level acts.
Thanks Suresh From: Michael Henkel <mhen...@juniper.net<mailto:mhen...@juniper.net>> Date: Wednesday, July 26, 2017 at 12:40 PM To: Stehlik Lukas <stehlik.lu...@gmail.com<mailto:stehlik.lu...@gmail.com>> Cc: "users@lists.opencontrail.org<mailto:users@lists.opencontrail.org>" <users@lists.opencontrail.org<mailto:users@lists.opencontrail.org>>, Suresh Kumar Vinapamula Venkata <sure...@juniper.net<mailto:sure...@juniper.net>> Subject: Re: [Users] Using RBAC with OpenContrail Lukas, It should work: Access is allowed as follows: * If the user is the owner and permissions allow (rwx) * Or if the user tenant is in a shared list and permissions allow * Or if world access is allowed +Suresh, to keep me honest. Regards, Michael On 26. Jul 2017, at 23:29, Stehlik Lukas <stehlik.lu...@gmail.com<mailto:stehlik.lu...@gmail.com>> wrote: But you can't share network between selected tenants with this OpenContrail RBAC or am I wrong? BR, Lukas Dne 26.07.2017 v 21:21 Michael Henkel napsal(a): neutron rbac is not (yet) supported but contrail brings its own rbac: https://www.juniper.net/documentation/en_US/contrail3.2/topics/concept/role-resource-access-control-vmc.html Regards, Michael On 26. Jul 2017, at 22:58, Stehlik Lukas <stehlik.lu...@gmail.com<mailto:stehlik.lu...@gmail.com>> wrote: Hi Christian, as far as I know and what I have tested in devstack with OC, there is no support/implementation of neutron RBAC in OpenContrail. If you try to create neutron RBAC (e.g. neutron rbac-create --target-tenant 74af79f96837481da190e359430826cf --action access_as_shared --type network 23b6a0fa-4aa6-4220-8ee4-3d2c6715dbc9), you will get message "Request Failed: internal server error while processing your request. Neutron server returns request_ids: ['req-c95efe06-8c21-4862-9539-e7d6b1ad1721']" And from neutron log: 2017-05-24 08:11:41.524 DEBUG neutron.api.v2.base [req-c95efe06-8c21-4862-9539-e7d6b1ad1721 admin bfeaebaaa63c4f00a984d93f22928d88] Request body: {u'rbac_policy': {u'action': u'access_as_shared', u'object_type': u'network', u'target_tenant': u'74af79f96837481da190e359430826cf', u'object_id': u'23b6a0fa-4aa6-4220-8ee4-3d2c6715dbc9'}} from (pid=8331) prepare_request_body /opt/stack/neutron/neutron/api/v2/base.py:662 2017-05-24 08:11:41.526 ERROR neutron.api.v2.resource [req-c95efe06-8c21-4862-9539-e7d6b1ad1721 admin bfeaebaaa63c4f00a984d93f22928d88] create failed 2017-05-24 08:11:41.526 TRACE neutron.api.v2.resource Traceback (most recent call last): 2017-05-24 08:11:41.526 TRACE neutron.api.v2.resource File "/opt/stack/neutron/neutron/api/v2/resource.py", line 84, in resource 2017-05-24 08:11:41.526 TRACE neutron.api.v2.resource result = method(request=request, **args) 2017-05-24 08:11:41.526 TRACE neutron.api.v2.resource File "/opt/stack/neutron/neutron/api/v2/base.py", line 410, in create 2017-05-24 08:11:41.526 TRACE neutron.api.v2.resource return self._create(request, body, **kwargs) 2017-05-24 08:11:41.526 TRACE neutron.api.v2.resource File "/usr/local/lib/python2.7/dist-packages/oslo_db/api.py", line 148, in wrapper 2017-05-24 08:11:41.526 TRACE neutron.api.v2.resource ectxt.value = e.inner_exc 2017-05-24 08:11:41.526 TRACE neutron.api.v2.resource File "/usr/local/lib/python2.7/dist-packages/oslo_utils/excutils.py", line 220, in __exit__ 2017-05-24 08:11:41.526 TRACE neutron.api.v2.resource self.force_reraise() 2017-05-24 08:11:41.526 TRACE neutron.api.v2.resource File "/usr/local/lib/python2.7/dist-packages/oslo_utils/excutils.py", line 196, in force_reraise 2017-05-24 08:11:41.526 TRACE neutron.api.v2.resource six.reraise(self.type_, self.value, self.tb) 2017-05-24 08:11:41.526 TRACE neutron.api.v2.resource File "/usr/local/lib/python2.7/dist-packages/oslo_db/api.py", line 138, in wrapper 2017-05-24 08:11:41.526 TRACE neutron.api.v2.resource return f(*args, **kwargs) 2017-05-24 08:11:41.526 TRACE neutron.api.v2.resource File "/opt/stack/neutron/neutron/api/v2/base.py", line 521, in _create 2017-05-24 08:11:41.526 TRACE neutron.api.v2.resource obj = do_create(body) 2017-05-24 08:11:41.526 TRACE neutron.api.v2.resource File "/opt/stack/neutron/neutron/api/v2/base.py", line 484, in do_create 2017-05-24 08:11:41.526 TRACE neutron.api.v2.resource obj_creator = getattr(self._plugin, action) 2017-05-24 08:11:41.526 TRACE neutron.api.v2.resource AttributeError: 'NeutronPluginContrailCoreV3' object has no attribute 'create_rbac_policy' 2017-05-24 08:11:41.526 TRACE neutron.api.v2.resource 2017-05-24 08:11:41.588 INFO neutron.wsgi [req-c95efe06-8c21-4862-9539-e7d6b1ad1721 admin bfeaebaaa63c4f00a984d93f22928d88] 192.168.10.7 - - [24/May/2017 08:11:41] "POST /v2.0/rbac-policies.json HTTP/1.1" 500 383 0.104980 It is quite surprising because neutron RBAC is part of OpenStack since Liberty release. BR, Lukas Dne 26.07.2017 v 17:40 christian.schill...@o-s.de<mailto:christian.schill...@o-s.de> napsal(a): Hey there, I am trying to use RBAC in OpenContrail, to share the Networks to single tenants. I am using Openstack Newton with Keystone-API-Version 2.0. Is this even possible? Or is RBAC just supported with Keystone v3? Do you know any nice tutorial for using RBAC? Would be glad to get some help! Greetings, Christian, Christian Schilling _______________________________________________ Users mailing list Users@lists.opencontrail.org<mailto:Users@lists.opencontrail.org>http://lists.opencontrail.org/mailman/listinfo/users_lists.opencontrail.org _______________________________________________ Users mailing list Users@lists.opencontrail.org<mailto:Users@lists.opencontrail.org> http://lists.opencontrail.org/mailman/listinfo/users_lists.opencontrail.org _______________________________________________ Users mailing list Users@lists.opencontrail.org<mailto:Users@lists.opencontrail.org> http://lists.opencontrail.org/mailman/listinfo/users_lists.opencontrail.org
_______________________________________________ Users mailing list Users@lists.opencontrail.org http://lists.opencontrail.org/mailman/listinfo/users_lists.opencontrail.org
