Reviewed: https://review.openstack.org/311897 Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=89297919a73c1e7f86c61d08f3f3d15278f5763a Submitter: Jenkins Branch: master
commit 89297919a73c1e7f86c61d08f3f3d15278f5763a Author: Kevin Benton <[email protected]> Date: Fri Apr 29 23:24:34 2016 -0700 Fix update target tenant RBAC external path This fixes the logic to allow updates to wildcard RBAC external policies. It was broken for two reasons: first, it was using the wrong kwarg, second, it wasn't considering the target tenant when determining if the policy was required. This patch fixes both issues and adds an API test exercising the update path. Closes-Bug: #1577100 Change-Id: Id7441ab5c3f3667aa1cc48100286a2a9d480e201 ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1577100 Title: RBAC "Access_as_external" policy update Status in neutron: Fix Released Bug description: I was trying update "target_tenant" field in the existing RBAC policy, The policy is "access_as_external" policy. On an admin tenant, with an admin user, I created an external network. This automatically creates and "access_as_external" action RBAC policy with "*" value for "target_tenant" attribute. +---------------+--------------------------------------+ | Field | Value | +---------------+--------------------------------------+ | action | access_as_external | | id | f09399eb-1829-4675-8155-4972b4378b9c | | object_id | 0ff86006-8d7d-4e9b-ba11-960c7ff50dae | | object_type | network | | target_tenant | * | | tenant_id | a654338c862f401a8665c3fbed289a75 | +---------------+--------------------------------------+ I wanted to update the RBAC policy but encountered the following error: "neutron rbac-update f09399eb-1829-4675-8155-4972b4378b9c --target_tenant a654338c862f401a8665c3fbed289a75 RBAC policy on object 0ff86006-8d7d-4e9b-ba11-960c7ff50dae cannot be removed because other objects depend on it. Details: Callback neutron.plugins.ml2.plugin.Ml2Plugin._validate_ext_not_in_use_by_tenant failed with "'policy_tenant'" Neutron server returns request_ids: ['req-218d22bd-f484-41e3-9908-798bb93ae149']" The external network is not in use by any router/or any other object. Reproduction steps: Create a network with " router:external" attribute ( external network) See rbac policy list and show the existing rbac policy for the external network (see object_id = network_id) execute "neutron rbac-update RBACPOLICYID --target_tenant DESIRED_TENANT_ID" Version: MITAKA on rhel 7.2 $rpm -qa | grep neutron python-neutron-lib-0.0.2-1.el7.noarch openstack-neutron-openvswitch-8.0.0-1.el7.noarch openstack-neutron-8.0.0-1.el7.noarch python-neutronclient-4.1.1-2.el7.noarch python-neutron-8.0.0-1.el7.noarch openstack-neutron-metering-agent-8.0.0-1.el7.noarch openstack-neutron-ml2-8.0.0-1.el7.noarch openstack-neutron-common-8.0.0-1.el7.noarch AllInOne environment. (packstack installation) To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1577100/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
