Public bug reported: Related to https://bugs.launchpad.net/neutron/+bug/1543756.
This fix was released in queens, but the following feature (https://review.openstack.org/#/c/577471/) re-introduced the bug on stable/rocky. With non-admin user, ports creation/update with subnet ID on a shared network does not work anymore. ex: ## Network RBAC $ openstack network rbac show f3605376-2fbb-4bfe-b412-b053870c6d56 +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | action | access_as_shared | | id | f3605376-2fbb-4bfe-b412-b053870c6d56 | | name | None | | object_id | 07386598-add7-4246-90a4-0294e85446fa | | object_type | network | | project_id | 0631a4dbf7c949f1878c4f4a6dbf1d32 | | target_project_id | * | +-------------------+--------------------------------------+ ## Test port creation $ openstack port create --network mynet --fixed-ip subnet=mysubnet testport HttpException: 403: Client Error for url: http://openstack.example.org/v2.0/ports, {"NeutronError": {"message": "(rule:create_port and rule:create_port:fixed_ips) is disallowed by policy", "type": "PolicyNotAuthorized", "detail": ""}} Removing the line '"create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",' from policy.json, everything works well. (same for 'update_port:fixed_ip' rule) fixes the rbac issues. It seems the bug is also on stein (I did not test, I presume): https://github.com/openstack/neutron/blob/master/neutron/conf/policies/port.py#L69 since policies has been included on code. ** Affects: neutron Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1824107 Title: RBAC: regression of port create/update by shared nw owners Status in neutron: New Bug description: Related to https://bugs.launchpad.net/neutron/+bug/1543756. This fix was released in queens, but the following feature (https://review.openstack.org/#/c/577471/) re-introduced the bug on stable/rocky. With non-admin user, ports creation/update with subnet ID on a shared network does not work anymore. ex: ## Network RBAC $ openstack network rbac show f3605376-2fbb-4bfe-b412-b053870c6d56 +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | action | access_as_shared | | id | f3605376-2fbb-4bfe-b412-b053870c6d56 | | name | None | | object_id | 07386598-add7-4246-90a4-0294e85446fa | | object_type | network | | project_id | 0631a4dbf7c949f1878c4f4a6dbf1d32 | | target_project_id | * | +-------------------+--------------------------------------+ ## Test port creation $ openstack port create --network mynet --fixed-ip subnet=mysubnet testport HttpException: 403: Client Error for url: http://openstack.example.org/v2.0/ports, {"NeutronError": {"message": "(rule:create_port and rule:create_port:fixed_ips) is disallowed by policy", "type": "PolicyNotAuthorized", "detail": ""}} Removing the line '"create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",' from policy.json, everything works well. (same for 'update_port:fixed_ip' rule) fixes the rbac issues. It seems the bug is also on stein (I did not test, I presume): https://github.com/openstack/neutron/blob/master/neutron/conf/policies/port.py#L69 since policies has been included on code. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1824107/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
