Bug 1349442
| Summary: | Restrict external network access to specific tenant | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Pratik Pravin Bandarkar <pbandark> |
| Component: | RFEs | Assignee: | RHOS Maint <rhos-maint> |
| Status: | CLOSED DUPLICATE | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.0 (Liberty) | CC: | amuller, djuran, jraju, markmc, nyechiel, pbandark, sasha, sputhenp, srevivo |
| Target Milestone: | --- | Keywords: | ZStream |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-12-20 19:09:31 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This looks like a duplicate of BZ 1325676 to me. Can you please review and confirm? Does this help? https://access.redhat.com/solutions/2022533 *** This bug has been marked as a duplicate of bug 1325676 *** |
1. Proposed title of this feature request Restrict external access network to specific tenant 3. What is the nature and description of the request? If there are multiple external networks created, all users from all tenants can add it as gateway to the router. For ex: ---->o---->o----- # keystone tenant-list +----------------------------------+----------+---------+ | id | name | enabled | +----------------------------------+----------+---------+ | ea39022238084e03a02441451dbb0466 | admin | True | | c4c4ec5d07af4ca8b79aed7f23624948 | cee | True | +----------------------------------+----------+---------+ - Floating network created for "admin" tenant: [root@rhos8 ~(keystone_admin)]# neutron net-show -F id -F name -F tenant_id -F router:external floating +-----------------+--------------------------------------+ | Field | Value | +-----------------+--------------------------------------+ | id | e3103400-2f9b-4a8f-85ba-56be31a3ff8b | | name | floating | | router:external | True | | tenant_id | ea39022238084e03a02441451dbb0466 | +-----------------+--------------------------------------+ - `neutron net-list` output from "cee" tenant as "pbandark" user who is "_member_" of tenant. [root@rhos8 ~(keystone_pbandark1)]# neutron net-list +--------------------------------------+--------------+-------------------------------------------------------+ | id | name | subnets | +--------------------------------------+--------------+-------------------------------------------------------+ | b13d5470-f236-49a1-b7dd-bd897221e78b | cee_network | 59bbedb3-b98f-4dcb-a966-6efc2349462a 192.168.150.0/24 | | 3f525bb7-207b-4649-be42-76c45b58fdb9 | internal_cee | 6578521a-8656-4e31-9536-fd3c6673114c 192.168.20.0/24 | | e3103400-2f9b-4a8f-85ba-56be31a3ff8b | floating | 4af9c4a2-c853-4fb0-b033-2a8f57e41c4d | +--------------------------------------+--------------+-------------------------------------------------------+ - created router for "cee" tenant: [root@rhos8 ~(keystone_pbandark1)]# neutron router-create cee-router00 Created a new router: +-----------------------+--------------------------------------+ | Field | Value | +-----------------------+--------------------------------------+ | admin_state_up | True | | external_gateway_info | | | id | 41c0d031-5b3b-4906-948d-9ba4e2594e7c | | name | cee-router00 | | routes | | | status | ACTIVE | | tenant_id | c4c4ec5d07af4ca8b79aed7f23624948 | +-----------------------+--------------------------------------+ - From "cee" tenant I am able to set "floating" external network as gateway: [root@rhos8 ~(keystone_pbandark1)]# neutron router-gateway-set cee-router00 floating Set gateway for router cee-router00 [root@rhos8 ~(keystone_pbandark1)]# neutron router-show -F external_gateway_info -F tenant_id cee-router00 +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | external_gateway_info | {"network_id": "e3103400-2f9b-4a8f-85ba-56be31a3ff8b", "enable_snat": true, "external_fixed_ips": [{"subnet_id": "4af9c4a2-c853-4fb0-b033-2a8f57e41c4d", "ip_address": "192.168.200.53"}]} | | tenant_id | c4c4ec5d07af4ca8b79aed7f23624948 | +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ [root@rhos8 ~(keystone_pbandark1)]# neutron router-interface-add cee-router00 6578521a-8656-4e31-9536-fd3c6673114c Added interface a8e6a998-6778-47f7-ba8b-d6ea94fa9fb0 to router cee-router00. [root@rhos8 ~(keystone_pbandark1)]# nova floating-ip-associate pbandark 192.168.200.54 [root@rhos8 ~(keystone_pbandark1)]# nova list +--------------------------------------+----------+--------+------------+-------------+-------------------------------------------+ | ID | Name | Status | Task State | Power State | Networks | +--------------------------------------+----------+--------+------------+-------------+-------------------------------------------+ | 47fbdc29-48de-442c-8d97-bb6636a384d7 | pbandark | ACTIVE | - | Running | internal_cee=192.168.20.2, 192.168.200.54 | <== floating ip from network which was created only for admin tenant. +--------------------------------------+----------+--------+------------+-------------+-------------------------------------------+ -----o<-----o<------ - restrict Restrict external access network to specific tenant. If external network is created for one tenant, other users/tenant should not able to access/see external network.