Fix proposed to branch: master
Review: https://review.openstack.org/432850
** Changed in: neutron
Status: Opinion => In Progress
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1543756
Title:
RBAC: Port creation on a shared network failed if --fixed-ip is
specified in 'neutron port-create' command
Status in neutron:
In Progress
Bug description:
The network demo-net, owned by user demo, is shared with tenant
demo-2. The sharing is created by demo using the command
neutron rbac-create --type network --action access_as_shared --target-
tenant <demo-2-tenant-id> demo-net
A user on the demo-2 tenant is can see the network demo-net:
stack@Ubuntu-38:~/DEVSTACK/demo$ neutron net-list
+--------------------------------------+----------+--------------------------------------------------+
| id | name | subnets
|
+--------------------------------------+----------+--------------------------------------------------+
| 85bb7612-e5fa-440c-bacf-86c5929298f3 | demo-net |
e66487b6-430b-4fb1-8a87-ed28dd378c43 10.1.2.0/24 |
| | |
ff01f7ca-d838-42dc-8d86-1b2830bc4824 10.1.3.0/24 |
| 5beb4080-4cf0-4921-9bbf-a7f65df6367f | public |
57485a80-815c-45ef-a0d1-ce11939d7fab |
| | |
38d1ddad-8084-4d32-b142-240e16fcd5df |
+--------------------------------------+----------+--------------------------------------------------+
The owner of network demo-net is able to create a port using the command
'neutron port-create demo-net --fixed-ip ... :
stack@Ubuntu-38:~/DEVSTACK/devstack$ neutron port-create demo-net --fixed-ip
subnet_id=ff01f7ca-d838-42dc-8d86-1b2830bc4824
Created a new port:
+-----------------------+---------------------------------------------------------------------------------+
| Field | Value
|
+-----------------------+---------------------------------------------------------------------------------+
| admin_state_up | True
|
| allowed_address_pairs |
|
| binding:vnic_type | normal
|
| device_id |
|
| device_owner |
|
| dns_name |
|
| fixed_ips | {"subnet_id":
"ff01f7ca-d838-42dc-8d86-1b2830bc4824", "ip_address": "10.1.3.6"} |
| id | 37402f22-fcd5-4b01-8b01-c6734573d7a8
|
| mac_address | fa:16:3e:44:71:ad
|
| name |
|
| network_id | 85bb7612-e5fa-440c-bacf-86c5929298f3
|
| security_groups | 7db11aa0-3d0d-40d1-ae25-e4c02b8886ce
|
| status | DOWN
|
| tenant_id | 54913ee1ca89458ba792d685c799484d
|
+-----------------------+---------------------------------------------------------------------------------+
The user demo-2 of tenant demo-2 is able to create a port using the
network demo-net:
stack@Ubuntu-38:~/DEVSTACK/demo$ neutron port-create demo-net
Created a new port:
+-----------------------+---------------------------------------------------------------------------------+
| Field | Value
|
+-----------------------+---------------------------------------------------------------------------------+
| admin_state_up | True
|
| allowed_address_pairs |
|
| binding:vnic_type | normal
|
| device_id |
|
| device_owner |
|
| dns_name |
|
| fixed_ips | {"subnet_id":
"ff01f7ca-d838-42dc-8d86-1b2830bc4824", "ip_address": "10.1.3.5"} |
| id | bab87cc9-2c83-489d-a973-1a42872a3dd4
|
| mac_address | fa:16:3e:c6:93:e5
|
| name |
|
| network_id | 85bb7612-e5fa-440c-bacf-86c5929298f3
|
| security_groups | 465c1c6f-e974-40e0-826e-72a2cc7d3fa4
|
| status | DOWN
|
| tenant_id | 3dd36d3f99494454bd4f887201684b63
|
+-----------------------+---------------------------------------------------------------------------------+
If the same user wants to create a port on demo-net using with a fixed
IP on the 10.1.2.0/24 subnet. The port creation failed:
stack@Ubuntu-38:~/DEVSTACK/demo$ neutron port-create demo-net --fixed-ip
subnet_id=ff01f7ca-d838-42dc-8d86-1b2830bc4824
(rule:create_port and rule:create_port:fixed_ips) on {'binding:host_id':
<object object at 0x7f1935be82a0>, 'name': '', 'allowed_address_pairs': <object
object at 0x7f1935be82a0>, u'admin_state_up': True, u'network_id':
u'85bb7612-e5fa-440c-bacf-86c5929298f3', 'tenant_id':
u'3dd36d3f99494454bd4f887201684b63', 'extra_dhcp_opts': None, 'mac_address':
<object object at 0x7f1935be82a0>, 'binding:vnic_type': 'normal',
'device_owner': '', 'dns_name': '', 'binding:profile': <object object at
0x7f1935be82a0>, u'fixed_ips': [{u'subnet_id':
u'ff01f7ca-d838-42dc-8d86-1b2830bc4824'}], u'network:tenant_id':
u'54913ee1ca89458ba792d685c799484d', 'security_groups': <object object at
0x7f1935be82a0>, 'device_id': ''} by {'domain': None, 'project_name':
u'demo-2', 'tenant_name': u'demo-2', 'project_domain': None, 'timestamp':
'2016-02-09 19:20:48.555574', 'auth_token': 'afa5047cd78b4774a6fd3ab3944f3f97',
'resource_uuid': None, 'is_admin': False, 'user':
u'ca2f2bb189e6401c9c27214d4aa33563', 'tenant':
u'3dd36d3f99494454bd4f887201684b63', 'read_only': False, 'project_id':
u'3dd36d3f99494454bd4f887201684b63', 'user_id':
u'ca2f2bb189e6401c9c27214d4aa33563', 'show_deleted': False, 'roles':
[u'_member_'], 'user_identity': 'ca2f2bb189e6401c9c27214d4aa33563
3dd36d3f99494454bd4f887201684b63 - - -', 'tenant_id':
u'3dd36d3f99494454bd4f887201684b63', 'request_id':
'req-7de91903-43ed-4940-a645-3418d10413ec', 'user_domain': None, 'user_name':
u'demo-2'} disallowed by policy
stack@Ubuntu-38:~/DEVSTACK/devstack$
The rbac rule for sharing of network demo-net with tenant "demo-2" is:
stack@Ubuntu-38:~/DEVSTACK/devstack$ neutron rbac-show
ea979774-8383-4a7e-8cbe-50bbd58855e5
+---------------+--------------------------------------+
| Field | Value |
+---------------+--------------------------------------+
| action | access_as_shared |
| id | ea979774-8383-4a7e-8cbe-50bbd58855e5 |
| object_id | 85bb7612-e5fa-440c-bacf-86c5929298f3 |
| object_type | network |
| target_tenant | 3dd36d3f99494454bd4f887201684b63 |
| tenant_id | 54913ee1ca89458ba792d685c799484d |
+---------------+--------------------------------------+
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1543756/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
