Public bug reported: Generally we prohibits non admin from creating and updating network with external option[1, 2] by policy.json. However, non admin can change the external option using rbac policy.
[1]: https://github.com/openstack/neutron/blob/master/etc/policy.json#L52 [2]: https://github.com/openstack/neutron/blob/master/etc/policy.json#L64 $ openstack network create net +---------------------------+--------------------------------------+ | Field | Value | +---------------------------+--------------------------------------+ | admin_state_up | UP | | availability_zone_hints | | | availability_zones | | | created_at | 2017-10-24T15:15:22Z | | description | | | dns_domain | None | | id | db82dcea-9e91-4f81-9447-6d90bccb050f | | ipv4_address_scope | None | | ipv6_address_scope | None | | is_default | False | | is_vlan_transparent | None | | mtu | 1450 | | name | net | | port_security_enabled | True | | project_id | 9e01496fa46a425bb5228f3b6d73ca6c | | provider:network_type | None | | provider:physical_network | None | | provider:segmentation_id | None | | qos_policy_id | None | | revision_number | 2 | | router:external | Internal | | segments | None | | shared | False | | status | ACTIVE | | subnets | | | tags | | | updated_at | 2017-10-24T15:15:22Z | +---------------------------+--------------------------------------+ Non admin user cannot update his network's external option. $ openstack network set --external net HttpException: Forbidden (HTTP 403) (Request-ID: req-21866c75-25f5-416c-80b3-312fef71b36f), (rule:update_network and rule:update_network:router:external) is disallowed by policy Non admin user can update his network's external option using rbac policy. $ openstack network rbac create --type network --target-project 3b3ff25f99884355932f5d316847ebbe --action access_as_external net +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | action | access_as_external | | id | 95bade41-77f7-4495-a90a-29fa6eba0518 | | name | None | | object_id | db82dcea-9e91-4f81-9447-6d90bccb050f | | object_type | network | | project_id | 9e01496fa46a425bb5228f3b6d73ca6c | | target_project_id | 3b3ff25f99884355932f5d316847ebbe | +-------------------+--------------------------------------+ $ openstack network show net +---------------------------+--------------------------------------+ | Field | Value | +---------------------------+--------------------------------------+ | admin_state_up | UP | | availability_zone_hints | | | availability_zones | | | created_at | 2017-10-24T15:15:22Z | | description | | | dns_domain | None | | id | db82dcea-9e91-4f81-9447-6d90bccb050f | | ipv4_address_scope | None | | ipv6_address_scope | None | | is_default | False | | is_vlan_transparent | None | | mtu | 1450 | | name | net | | port_security_enabled | True | | project_id | 9e01496fa46a425bb5228f3b6d73ca6c | | provider:network_type | None | | provider:physical_network | None | | provider:segmentation_id | None | | qos_policy_id | None | | revision_number | 4 | | router:external | External | | segments | None | | shared | False | | status | ACTIVE | | subnets | | | tags | | | updated_at | 2017-10-24T15:16:38Z | +---------------------------+--------------------------------------+ ** Affects: neutron Importance: Undecided Assignee: Hirofumi Ichihara (ichihara-hirofumi) Status: New ** Tags: access-control ** Changed in: neutron Assignee: (unassigned) => Hirofumi Ichihara (ichihara-hirofumi) ** Tags added: access-control -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1726914 Title: Non admin can change external of network through RBAC policy Status in neutron: New Bug description: Generally we prohibits non admin from creating and updating network with external option[1, 2] by policy.json. However, non admin can change the external option using rbac policy. [1]: https://github.com/openstack/neutron/blob/master/etc/policy.json#L52 [2]: https://github.com/openstack/neutron/blob/master/etc/policy.json#L64 $ openstack network create net +---------------------------+--------------------------------------+ | Field | Value | +---------------------------+--------------------------------------+ | admin_state_up | UP | | availability_zone_hints | | | availability_zones | | | created_at | 2017-10-24T15:15:22Z | | description | | | dns_domain | None | | id | db82dcea-9e91-4f81-9447-6d90bccb050f | | ipv4_address_scope | None | | ipv6_address_scope | None | | is_default | False | | is_vlan_transparent | None | | mtu | 1450 | | name | net | | port_security_enabled | True | | project_id | 9e01496fa46a425bb5228f3b6d73ca6c | | provider:network_type | None | | provider:physical_network | None | | provider:segmentation_id | None | | qos_policy_id | None | | revision_number | 2 | | router:external | Internal | | segments | None | | shared | False | | status | ACTIVE | | subnets | | | tags | | | updated_at | 2017-10-24T15:15:22Z | +---------------------------+--------------------------------------+ Non admin user cannot update his network's external option. $ openstack network set --external net HttpException: Forbidden (HTTP 403) (Request-ID: req-21866c75-25f5-416c-80b3-312fef71b36f), (rule:update_network and rule:update_network:router:external) is disallowed by policy Non admin user can update his network's external option using rbac policy. $ openstack network rbac create --type network --target-project 3b3ff25f99884355932f5d316847ebbe --action access_as_external net +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | action | access_as_external | | id | 95bade41-77f7-4495-a90a-29fa6eba0518 | | name | None | | object_id | db82dcea-9e91-4f81-9447-6d90bccb050f | | object_type | network | | project_id | 9e01496fa46a425bb5228f3b6d73ca6c | | target_project_id | 3b3ff25f99884355932f5d316847ebbe | +-------------------+--------------------------------------+ $ openstack network show net +---------------------------+--------------------------------------+ | Field | Value | +---------------------------+--------------------------------------+ | admin_state_up | UP | | availability_zone_hints | | | availability_zones | | | created_at | 2017-10-24T15:15:22Z | | description | | | dns_domain | None | | id | db82dcea-9e91-4f81-9447-6d90bccb050f | | ipv4_address_scope | None | | ipv6_address_scope | None | | is_default | False | | is_vlan_transparent | None | | mtu | 1450 | | name | net | | port_security_enabled | True | | project_id | 9e01496fa46a425bb5228f3b6d73ca6c | | provider:network_type | None | | provider:physical_network | None | | provider:segmentation_id | None | | qos_policy_id | None | | revision_number | 4 | | router:external | External | | segments | None | | shared | False | | status | ACTIVE | | subnets | | | tags | | | updated_at | 2017-10-24T15:16:38Z | +---------------------------+--------------------------------------+ To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1726914/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
