Reviewed: https://review.openstack.org/609633 Committed: https://git.openstack.org/cgit/openstack/neutron-lib/commit/?id=00147a7d700e6d0142161152137bbab0c39ce4c0 Submitter: Zuul Branch: master
commit 00147a7d700e6d0142161152137bbab0c39ce4c0 Author: Maciej Józefczyk <[email protected]> Date: Thu Oct 11 08:57:29 2018 +0000 Allow advsvc role to create port in foreign tenant Change [1] introduced support for advsvc role. This added possibility for user with role advsvc to make CRUD operations on ports, subnets and networks in foreign tenants. Due the check in _validate_privileges() it was not working. This patch fixes that. Closes-Bug: #1796854 [1] https://review.openstack.org/#/c/101281 Change-Id: I6a3f91337bf8dd32012a75916e3409e30f46b50d ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1796854 Title: Neutron doesn't respect advscv role while creating port Status in neutron: Fix Released Bug description: Neutron doesn't allow user with role 'advsvc' to add port in other user tenant network. Introduced change: https://review.openstack.org/#/c/101281/10 Should allow that, but in fact in neutron-lib there is no validation for advsvc role: https://github.com/openstack/neutron-lib/blob/master/neutron_lib/api/attributes.py#L28 Error: Specifying 'project_id' or 'tenant_id' other than the authenticated project in request requires admin privileges ---------------- Version ---------------- Devstack master. ---------------- How to reproduce ---------------- 1. Setup devstack master, add new project and user to this project with role advsvc source devstack/openrc admin demo openstack project create advsvc-project openstack user create --project advsvc-project --password test advsvc-project-user openstack role create advsvc openstack role add --user advsvc-project-user --project advsvc-project advsvc openstack role add --user advsvc-project-user --project advsvc-project member 2. Create network in other project. openstack project create test-project openstack user create --project test-project --password test test-project-user openstack role add --user test-project-user --project test-project member neutron net-create private-net-test-user --provider:network_type=vxlan --provider:segmentation_id=1234 --project-id [[ test-project-id ]] neutron subnet-create private-net-test-user --name private-subnet- test-user --allocation-pool start=10.13.12.100,end=10.13.12.130 10.13.12.0/24 --dns-nameserver 8.8.8.8 --project-id [[ test-project-id ]] 3. Create a port in test-project tenant by user with advsvc role: stack@mjozefcz-devstack:~$ neutron port-create --tenant-id 865073224f7b4e9d9fdd4a446e3a4af4 private-net-test-user neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead. Specifying 'project_id' or 'tenant_id' other than the authenticated project in request requires admin privileges Neutron server returns request_ids: ['req-e841edb1-2cf2-47b6-a493-11a56114a323'] To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1796854/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
