[Yahoo-eng-team] [Bug 1538767] Re: Users cannot create extra-routes with nexthop on ext-net

Mon, 29 Feb 2016 08:56:57 -0800 

Reviewed:  https://review.openstack.org/273278
Committed: 
https://git.openstack.org/cgit/openstack/neutron/commit/?id=3d5d378769f0715e3254ac00b6f091a6f9f6960b
Submitter: Jenkins
Branch:    master

commit 3d5d378769f0715e3254ac00b6f091a6f9f6960b
Author: Cedric Brandily <[email protected]>
Date:   Wed Jan 27 23:58:18 2016 +0100

    Allow non-admins to define "external" extra-routes
    
    Currently non-admin users can create extra-routes when the nexthop is on
    router-interfaces subnets but not on external-network subnet. Indeed
    user permissions are used to get router ports in order to validate
    nexthops BUT non-admin users don't "see" router port on its external
    network.
    
    This change uses an elevated context instead of user context to enable
    non-admins to create "external" extra-routes.
    
    APIImpact
    Closes-Bug: #1538767
    Change-Id: I08b1d8586a4cd241a3589e8cb7151b77ab679124


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1538767

Title:
  Users cannot create extra-routes with nexthop on ext-net

Status in neutron:
  Fix Released

Bug description:
  Non-admin users cannot create extra-routes on a router with a nexthop
  on ext-net subnet:

    # With admin user
    neutron net-create pub --router-:external
    neutron subnet-create pub 192.168.0.0/16

    # With non-admin user
    neutron router-create router
    neutron router-gateway-set router pub
    neutron router-update router --routes 
nexthop=192.168.0.99,destination=10.10.10.0/24
    >> Invalid format for routes: [{u'destination': u'10.10.10.0/24', 
u'nexthop': u'192.168.0.99'}], the nexthop is not connected with router

  But it succeeds with an admin user.

  nexthop validation gets all ports connected to the router to check if
  nexthop is on a subnet connected to the router BUT non-admin users are
  only allowed to get internal ports!

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1538767/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to