[Yahoo-eng-team] [Bug 2052937] Re: Policy: binding operations are prohibited for service role

Bence Romsics Tue, 13 Feb 2024 06:52:49 -0800

** Changed in: neutron
       Status: Invalid => Triaged

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2052937


Title:
  Policy: binding operations are prohibited for service role

Status in neutron:
  Triaged

Bug description:
  Create/update port binding:* policies are admin only, which prevents
  for example ironic service user with service role to manage baremetal
  ports:

  
  "http://192.0.2.10:9292";, "region": "RegionOne"}], "id": 
"e6e42ef4fc984e71b575150e59a92704", "type": "image", "name": "glance"}]}} 
get_auth_ref 
/var/lib/kolla/venv/lib64/python3.9/site-packages/keystoneauth1/identity/v3/base.py:189
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron [None 
req-6737aef3-c823-4f7c-95ec-1c9f38b14faa a4dbb0dc59024c199843cea86603308b 
9fd64a4cbd774756869cb3968de2e9b6 - - default default] Unable to clear binding 
profile for neutron port 291dbb7b-5cc8-480d-b39d-eb849bcb4a64. Error: 
ForbiddenException: 403: Client Error for url: 
http://192.0.2.10:9696/v2.0/ports/291dbb7b-5cc8-480d-b39d-eb849bcb4a64, 
((rule:update_port and rule:update_port:binding:host_id) and 
rule:update_port:binding:profile) is disallowed by policy: 
openstack.exceptions.ForbiddenException: ForbiddenException: 403: Client Error 
for url: 
http://192.0.2.10:9696/v2.0/ports/291dbb7b-5cc8-480d-b39d-eb849bcb4a64, 
((rule:update_port and rule:update_port:binding:host_id) and 
rule:update_port:binding:profile) is disallowed by policy
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron Traceback (most recent 
call last):
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron   File 
"/var/lib/kolla/venv/lib64/python3.9/site-packages/ironic/common/neutron.py", 
line 130, in unbind_neutron_port
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron     
update_neutron_port(context, port_id, attrs_unbind, client)
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron   File 
"/var/lib/kolla/venv/lib64/python3.9/site-packages/ironic/common/neutron.py", 
line 109, in update_neutron_port
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron     return 
client.update_port(port_id, **attrs)
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron   File 
"/var/lib/kolla/venv/lib64/python3.9/site-packages/openstack/network/v2/_proxy.py",
 line 2992, in update_port
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron     return 
self._update(_port.Port, port, if_revision=if_revision, **attrs)
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron   File 
"/var/lib/kolla/venv/lib64/python3.9/site-packages/openstack/proxy.py", line 
61, in check
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron     return method(self, 
expected, actual, *args, **kwargs)
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron   File 
"/var/lib/kolla/venv/lib64/python3.9/site-packages/openstack/network/v2/_proxy.py",
 line 202, in _update
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron     return 
res.commit(self, base_path=base_path, if_revision=if_revision)
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron   File 
"/var/lib/kolla/venv/lib64/python3.9/site-packages/openstack/resource.py", line 
1803, in commit
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron     return self._commit(
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron   File 
"/var/lib/kolla/venv/lib64/python3.9/site-packages/openstack/resource.py", line 
1848, in _commit
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron     
self._translate_response(response, has_body=has_body)
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron   File 
"/var/lib/kolla/venv/lib64/python3.9/site-packages/openstack/resource.py", line 
1287, in _translate_response
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron     
exceptions.raise_from_response(response, error_message=error_message)
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron   File 
"/var/lib/kolla/venv/lib64/python3.9/site-packages/openstack/exceptions.py", 
line 250, in raise_from_response
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron     raise cls(
  2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron 
openstack.exceptions.ForbiddenException: ForbiddenException: 403: Client Error 
for url: 
http://192.0.2.10:9696/v2.0/ports/291dbb7b-5cc8-480d-b39d-eb849bcb4a64, 
((rule:update_port and rule:update_port:binding:host_id) and 
rule:update_port:binding:profile) is disallowed by policy

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2052937/+subscriptions


-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 2052937] Re: Policy: binding operations are prohibited for service role

Reply via email to