Reviewed: https://review.openstack.org/588844 Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=c205963399b47eaa48b11835e28f527fa4dbc60a Submitter: Zuul Branch: master
commit c205963399b47eaa48b11835e28f527fa4dbc60a Author: Miguel Lavalle <[email protected]> Date: Fri Aug 3 18:35:45 2018 -0500 Add note to RBAC chapter of Networking Guide This commit adds a note to the RBAC chapter of the Networking Guide clarifying that subnets inherit the RBAC policy entries of their network. Change-Id: Ic9256f3fcfe89b495c97df16fe6c6b3f052b9ab8 Closes-Bug: #1784586 ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1784586 Title: Networking guide doesn't clarify that subnets inherit the RBAC policies of their network Status in neutron: Fix Released Bug description: Subnets in a RBAC access_as_shared network are accessible to projects even if the subnet project_id doesn't match that project ID. OpenStack version used for testing: Pike stable on Red Hat ("Red Hat OpenStack Platform 12") Steps to reproduce: - Create three projects: proj1, proj2, proj3 - Create a network in proj1 - Share the network with other projects: openstack network rbac create --type network --action access_as_shared --target-project <proj2 ID> openstack network rbac create --type network --action access_as_shared --target-project <proj3 ID> - As admin, create multiple subnets in the network with --project openstack subnet create --project <proj2 ID> --network <network_id> ... openstack subnet create --project <proj3 ID> --network <network_id> ... - Check that the project_id in the subnet is set to the project ID for each of the projects: openstack subnet show ... Expected results: - Requesting a subnet list in proj2 and proj3 only shows the subnets where project_id == project ID for that project ("my project ID") - Listing ports only shows the ports in the subnet(s) with project_id == "my project ID". - Ports can only be created in subnets with project_id == "my project ID". - A project isn't able to delete an (empty) 'foreign' subnet. Actual results: - A subnet list shows all subnets in the network, all subnets in all projects: UNEXPECTED - Listing ports only shows the ports in subnets with "my project ID": EXPECTED However, see below. - If the allocation pool for a subnet isn't depleted, any project is able to create ports in subnets, even if the project_id of that subnet != "my project ID": UNEXPECTED. After creating a port in a 'foreign subnet', the project is able to list those ports. To reproduce, use 'openstack port create'. Horizon seems to show the expected behavior. - If a subnet has no ports, any project can delete a subnet, even if it's project_id doesn't match the current project ID: UNEXPECTED. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1784586/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
