Bug 1670572

Summary:	Horizon network port create panel shows "port security" checkbox that breaks port creation for non-admin users
Product:	Red Hat OpenStack	Reporter:	David Vallee Delisle <dvd>
Component:	python-django-horizon	Assignee:	Radomir Dopieralski <rdopiera>
Status:	CLOSED ERRATA	QA Contact:	Ashish Gupta <ashigupt>
Severity:	high	Docs Contact:
Priority:	high
Version:	17.0 (Wallaby)	CC:	alisci, athomas, bshephar, camorris, chrisw, csibbitt, dhruv, dkallner, gdiotte, ikanias, jbeaudoi, jrist, jschluet, kmehta, matteo.panella, mircea.vutcovici, njohnston, nnavarat, rdopiera, skaplons, tdoucet, tovchinn, vkoul, ykulkarn
Target Milestone:	z1	Keywords:	Reopened, Triaged
Target Release:	17.0
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	python-django-horizon-19.3.0-0.20221114160241.82698aa.el9ost	Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2023-01-25 12:28:47 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	2129483

Description David Vallee Delisle 2019-01-29 20:23:13 UTC

Description of problem:
Using a project _member_'s credential, when creating a port with --enabled-port-security or --disable-port-security, neutron-server is not obeying the default policy. When creating the port without --*-port-security, it's not obeying either

Version-Release number of selected component (if applicable):
https://access.redhat.com/containers/#/registry.access.redhat.com/rhosp13/openstack-neutron-server/images/13.0-64
openstack-neutron-12.0.4-2.el7ost.noarch

How reproducible:
All the time

Steps to Reproduce: [1]
0. source project _member_ credentials
1. openstack port create bla --vnic-type normal --network name
2. openstack port create bla --vnic-type normal --network name --disable-port-security
3. openstack port create bla --vnic-type normal --network name --enable-port-security
4. Creating a port through horizon, with or without port security enabled

Actual results:
For reference, this is the default policies [2]:
0. Always as project _member_
1. Creating a port without --*-port-security succeeds and port-security is enabled
2. Creating a port with --disable-port-security fails.
3. Creating a port with --enable-port-security fails.
4. Fails all the time, no matter if we enable or disable port-security

Expected results:
Based on the default policies [2]:
1. This should fail because by default we can't enable port-security, and the default seems to have it on.
2. This should succeed because we are not network owner or admin.
3. This is failing as expected.
4. This should work if we disable port-security.

Additional info:

[1]
~~~
(overcloud) [stack@overcloud-rh-ucld-0 ~]$ openstack port create bla --vnic-type normal --network 97988f55-649b-4bdc-ab08-3f61b2958d85
+-----------------------+-------------------------------------------------------------------------------------------------+
| Field                 | Value                                                                                           |
+-----------------------+-------------------------------------------------------------------------------------------------+
| admin_state_up        | UP                                                                                              |
| allowed_address_pairs |                                                                                                 |
| binding_host_id       | None                                                                                            |
| binding_profile       | None                                                                                            |
| binding_vif_details   | None                                                                                            |
| binding_vif_type      | None                                                                                            |
| binding_vnic_type     | normal                                                                                          |
| created_at            | 2019-01-29T19:57:07Z                                                                            |
| data_plane_status     | None                                                                                            |
| description           |                                                                                                 |
| device_id             |                                                                                                 |
| device_owner          |                                                                                                 |
| dns_assignment        | None                                                                                            |
| dns_name              | None                                                                                            |
| extra_dhcp_opts       |                                                                                                 |
| fixed_ips             | ip_address='xxx', subnet_id='8698fae0-3600-475c-b84a-c0dac810fb26'                   |
|                       | ip_address='xxx', subnet_id='a690460d-b7ec-4ced-b8bf-3b48b90a7f7e' |
| id                    | fc102516-93e3-493a-9db7-b14912e76baa                                                            |
| ip_address            | None                                                                                            |
| mac_address           | fa:16:3e:52:22:99                                                                               |
| name                  | bla                                                                                             |
| network_id            | 97988f55-649b-4bdc-ab08-3f61b2958d85                                                            |
| option_name           | None                                                                                            |
| option_value          | None                                                                                            |
| port_security_enabled | True                                                                                            |
| project_id            | 38c2a42d76d143f69f3c0cc037a43ec9                                                                |
| qos_policy_id         | None                                                                                            |
| revision_number       | 7                                                                                               |
| security_group_ids    | 19b13e8f-b170-4b2b-baa4-b57c677c4dba                                                            |
| status                | DOWN                                                                                            |
| subnet_id             | None                                                                                            |
| tags                  |                                                                                                 |
| trunk_details         | None                                                                                            |
| updated_at            | 2019-01-29T19:57:07Z                                                                            |
+-----------------------+-------------------------------------------------------------------------------------------------+
(overcloud) [stack@overcloud-rh-ucld-0 ~]$ openstack port create bla --vnic-type normal --network 97988f55-649b-4bdc-ab08-3f61b2958d85 --disable-port-security
HttpException: Unknown error
(overcloud) [stack@overcloud-rh-ucld-0 ~]$ ^C
(overcloud) [stack@overcloud-rh-ucld-0 ~]$ openstack port create bla --vnic-type normal --network 97988f55-649b-4bdc-ab08-3f61b2958d85 --enable-port-security
HttpException: Unknown error
~~~

[2]
~~~
# docker exec -ti neutron_api grep create_port /etc/neutron/policy.json
    "create_port": "",
    "create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
    "create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
    "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
    "create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
    "create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
    "create_port:binding:host_id": "rule:admin_only",
    "create_port:binding:profile": "rule:admin_only",
    "create_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
    "create_port:allowed_address_pairs": "rule:admin_or_network_owner",
~~~

Comment 1 Brian Haley 2019-02-06 13:08:13 UTC

Hi David - does the neutron server log show anything useful?  Also, does running the openstack client with --debug show a more useful error?  I think it's getting swallowed by one of the libraries here.

Our testing upstream showed it worked there, we'll need to try and reproduce on OSP 13 when we have a chance.

Comment 2 David Vallee Delisle 2019-02-06 19:58:43 UTC

Hello,

Here's the output with --debug of all 3 cases.

[1] with --enable-port-security
[2] with --disable-port-security
[3] without --*port-security

I'll attach the neutron server.log with debug enabled in a private attachment.

Let me know if you need anything else.

DVD

[1]
~~
REQ: curl -g -i -X POST https://xxx:13696/v2.0/ports -H "User-Agent: osc-lib/1.9.0 keystoneauth1/3.4.0 python-requests/2.14.2 CPython/2.7.5" -H "Content-Type: application/json" -H "X-Auth-Token: {SHA1}f4801b84b2b93476a84662a8398d7e1095407e1f" -d '{"port": {"network_id": "47a2cf2e-a5e5-446e-b6fb-5acf36f3a5a7", "port_security_enabled": true, "binding:vnic_type": "direct", "name": "dvdtest1", "admin_state_up": true}}'
https://xxx:13696 "POST /v2.0/ports HTTP/1.1" 403 204
RESP: [403] Content-Type: application/json Content-Length: 204 X-Openstack-Request-Id: req-fc84d4c4-e28b-4b9e-928c-3d320d6222c5 Date: Wed, 06 Feb 2019 19:49:30 GMT 
RESP BODY: {"NeutronError": {"message": "((rule:create_port and rule:create_port:port_security_enabled) and rule:create_port:binding:vnic_type) is disallowed by policy", "type": "PolicyNotAuthorized", "detail": ""}}

POST call to network for https://xxx:13696/v2.0/ports used request id req-fc84d4c4-e28b-4b9e-928c-3d320d6222c5
Manager unknown ran task network.POST.ports in 1.35062813759s
HttpException: Unknown error
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/cliff/app.py", line 400, in run_subcommand
    result = cmd.run(parsed_args)
  File "/usr/lib/python2.7/site-packages/osc_lib/command/command.py", line 41, in run
    return super(Command, self).run(parsed_args)
  File "/usr/lib/python2.7/site-packages/cliff/display.py", line 116, in run
    column_names, data = self.take_action(parsed_args)
  File "/usr/lib/python2.7/site-packages/openstackclient/network/v2/port.py", line 429, in take_action
    obj = client.create_port(**attrs)
  File "/usr/lib/python2.7/site-packages/openstack/network/v2/_proxy.py", line 1456, in create_port
    return self._create(_port.Port, **attrs)
  File "/usr/lib/python2.7/site-packages/openstack/proxy.py", line 194, in _create
    return res.create(self)
  File "/usr/lib/python2.7/site-packages/openstack/resource.py", line 732, in create
    self._translate_response(response)
  File "/usr/lib/python2.7/site-packages/openstack/resource.py", line 664, in _translate_response
    exceptions.raise_from_response(response, error_message=error_message)
  File "/usr/lib/python2.7/site-packages/openstack/exceptions.py", line 205, in raise_from_response
    http_status=http_status, request_id=request_id
HttpException: HttpException: Unknown error
clean_up CreatePort: HttpException: Unknown error
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/osc_lib/shell.py", line 134, in run
    ret_val = super(OpenStackShell, self).run(argv)
  File "/usr/lib/python2.7/site-packages/cliff/app.py", line 279, in run
    result = self.run_subcommand(remainder)
  File "/usr/lib/python2.7/site-packages/osc_lib/shell.py", line 169, in run_subcommand
    ret_value = super(OpenStackShell, self).run_subcommand(argv)
  File "/usr/lib/python2.7/site-packages/cliff/app.py", line 400, in run_subcommand
    result = cmd.run(parsed_args)
  File "/usr/lib/python2.7/site-packages/osc_lib/command/command.py", line 41, in run
    return super(Command, self).run(parsed_args)
  File "/usr/lib/python2.7/site-packages/cliff/display.py", line 116, in run
    column_names, data = self.take_action(parsed_args)
  File "/usr/lib/python2.7/site-packages/openstackclient/network/v2/port.py", line 429, in take_action
    obj = client.create_port(**attrs)
  File "/usr/lib/python2.7/site-packages/openstack/network/v2/_proxy.py", line 1456, in create_port
    return self._create(_port.Port, **attrs)
  File "/usr/lib/python2.7/site-packages/openstack/proxy.py", line 194, in _create
    return res.create(self)
  File "/usr/lib/python2.7/site-packages/openstack/resource.py", line 732, in create
    self._translate_response(response)
  File "/usr/lib/python2.7/site-packages/openstack/resource.py", line 664, in _translate_response
    exceptions.raise_from_response(response, error_message=error_message)
  File "/usr/lib/python2.7/site-packages/openstack/exceptions.py", line 205, in raise_from_response
    http_status=http_status, request_id=request_id
HttpException: HttpException: Unknown error

END return value: 1
~~

[2]
~~
REQ: curl -g -i -X POST https://xxx:13696/v2.0/ports -H "User-Agent: osc-lib/1.9.0 keystoneauth1/3.4.0 python-requests/2.14.2 CPython/2.7.5" -H "Content-Type: application/json" -H "X-Auth-Token: {SHA1}460575f2e0bd2a4328f23f13612cd4637e8d9f94" -d '{"port": {"network_id": "47a2cf2e-a5e5-446e-b6fb-5acf36f3a5a7", "port_security_enabled": false, "binding:vnic_type": "direct", "name": "dvdtest1", "admin_state_up": true}}'
https://xxx:13696 "POST /v2.0/ports HTTP/1.1" 403 204
RESP: [403] Content-Type: application/json Content-Length: 204 X-Openstack-Request-Id: req-fde234a9-a064-4dcb-8057-125a4685353f Date: Wed, 06 Feb 2019 19:50:58 GMT 
RESP BODY: {"NeutronError": {"message": "((rule:create_port and rule:create_port:port_security_enabled) and rule:create_port:binding:vnic_type) is disallowed by policy", "type": "PolicyNotAuthorized", "detail": ""}}

POST call to network for https://xxx:13696/v2.0/ports used request id req-fde234a9-a064-4dcb-8057-125a4685353f
Manager unknown ran task network.POST.ports in 0.6009349823s
HttpException: Unknown error
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/cliff/app.py", line 400, in run_subcommand
    result = cmd.run(parsed_args)
  File "/usr/lib/python2.7/site-packages/osc_lib/command/command.py", line 41, in run
    return super(Command, self).run(parsed_args)
  File "/usr/lib/python2.7/site-packages/cliff/display.py", line 116, in run
    column_names, data = self.take_action(parsed_args)
  File "/usr/lib/python2.7/site-packages/openstackclient/network/v2/port.py", line 429, in take_action
    obj = client.create_port(**attrs)
  File "/usr/lib/python2.7/site-packages/openstack/network/v2/_proxy.py", line 1456, in create_port
    return self._create(_port.Port, **attrs)
  File "/usr/lib/python2.7/site-packages/openstack/proxy.py", line 194, in _create
    return res.create(self)
  File "/usr/lib/python2.7/site-packages/openstack/resource.py", line 732, in create
    self._translate_response(response)
  File "/usr/lib/python2.7/site-packages/openstack/resource.py", line 664, in _translate_response
    exceptions.raise_from_response(response, error_message=error_message)
  File "/usr/lib/python2.7/site-packages/openstack/exceptions.py", line 205, in raise_from_response
    http_status=http_status, request_id=request_id
HttpException: HttpException: Unknown error
clean_up CreatePort: HttpException: Unknown error
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/osc_lib/shell.py", line 134, in run
    ret_val = super(OpenStackShell, self).run(argv)
  File "/usr/lib/python2.7/site-packages/cliff/app.py", line 279, in run
    result = self.run_subcommand(remainder)
  File "/usr/lib/python2.7/site-packages/osc_lib/shell.py", line 169, in run_subcommand
    ret_value = super(OpenStackShell, self).run_subcommand(argv)
  File "/usr/lib/python2.7/site-packages/cliff/app.py", line 400, in run_subcommand
    result = cmd.run(parsed_args)
  File "/usr/lib/python2.7/site-packages/osc_lib/command/command.py", line 41, in run
    return super(Command, self).run(parsed_args)
  File "/usr/lib/python2.7/site-packages/cliff/display.py", line 116, in run
    column_names, data = self.take_action(parsed_args)
  File "/usr/lib/python2.7/site-packages/openstackclient/network/v2/port.py", line 429, in take_action
    obj = client.create_port(**attrs)
  File "/usr/lib/python2.7/site-packages/openstack/network/v2/_proxy.py", line 1456, in create_port
    return self._create(_port.Port, **attrs)
  File "/usr/lib/python2.7/site-packages/openstack/proxy.py", line 194, in _create
    return res.create(self)
  File "/usr/lib/python2.7/site-packages/openstack/resource.py", line 732, in create
    self._translate_response(response)
  File "/usr/lib/python2.7/site-packages/openstack/resource.py", line 664, in _translate_response
    exceptions.raise_from_response(response, error_message=error_message)
  File "/usr/lib/python2.7/site-packages/openstack/exceptions.py", line 205, in raise_from_response
    http_status=http_status, request_id=request_id
HttpException: HttpException: Unknown error

END return value: 1
~~

[3]
~~
REQ: curl -g -i -X POST https://xxx:13696/v2.0/ports -H "User-Agent: osc-lib/1.9.0 keystoneauth1/3.4.0 python-requests/2.14.2 CPython/2.7.5" -H "Content-Type: application/json" -H "X-Auth-Token: {SHA1}b8f8eed01afabec974d860d2baaeb3c03783dbe0" -d '{"port": {"network_id": "47a2cf2e-a5e5-446e-b6fb-5acf36f3a5a7", "admin_state_up": true, "name": "dvdtest1", "binding:vnic_type": "direct"}}'
https://xxx:13696 "POST /v2.0/ports HTTP/1.1" 201 750
RESP: [201] Content-Type: application/json Content-Length: 750 X-Openstack-Request-Id: req-b26013fc-76fa-4fdf-bad5-b01a0a8b7fc9 Date: Wed, 06 Feb 2019 19:51:38 GMT 
RESP BODY: {"port":{"allowed_address_pairs":[],"extra_dhcp_opts":[],"updated_at":"2019-02-06T19:51:36Z","device_owner":"","revision_number":6,"port_security_enabled":true,"fixed_ips":[{"subnet_id":"fe9f18fd-7904-479d-badb-1e14f5ff6632","ip_address":"XXX"}],"id":"2742f9c1-7ef4-4be5-9c09-097b42db3020","security_groups":["19b13e8f-b170-4b2b-baa4-b57c677c4dba"],"mac_address":"fa:16:3e:d6:db:6a","device_id":"","status":"DOWN","description":"","tags":[],"name":"dvdtest1","project_id":"38c2a42d76d143f69f3c0cc037a43ec9","qos_policy_id":null,"admin_state_up":true,"network_id":"47a2cf2e-a5e5-446e-b6fb-5acf36f3a5a7","tenant_id":"38c2a42d76d143f69f3c0cc037a43ec9","created_at":"2019-02-06T19:51:36Z","binding:vnic_type":"direct","ip_allocation":"immediate"}}

POST call to network for https://xxx:13696/v2.0/ports used request id req-b26013fc-76fa-4fdf-bad5-b01a0a8b7fc9
Manager unknown ran task network.POST.ports in 6.09331393242s
+-----------------------+---------------------------------------------------------------------------+
| Field                 | Value                                                                     |
+-----------------------+---------------------------------------------------------------------------+
| admin_state_up        | UP                                                                        |
| allowed_address_pairs |                                                                           |
| binding_host_id       | None                                                                      |
| binding_profile       | None                                                                      |
| binding_vif_details   | None                                                                      |
| binding_vif_type      | None                                                                      |
| binding_vnic_type     | direct                                                                    |
| created_at            | 2019-02-06T19:51:36Z                                                      |
| data_plane_status     | None                                                                      |
| description           |                                                                           |
| device_id             |                                                                           |
| device_owner          |                                                                           |
| dns_assignment        | None                                                                      |
| dns_name              | None                                                                      |
| extra_dhcp_opts       |                                                                           |
| fixed_ips             | ip_address='XXX', subnet_id='fe9f18fd-7904-479d-badb-1e14f5ff6632' |
| id                    | 2742f9c1-7ef4-4be5-9c09-097b42db3020                                      |
| ip_address            | None                                                                      |
| mac_address           | fa:16:3e:d6:db:6a                                                         |
| name                  | dvdtest1                                                                  |
| network_id            | 47a2cf2e-a5e5-446e-b6fb-5acf36f3a5a7                                      |
| option_name           | None                                                                      |
| option_value          | None                                                                      |
| port_security_enabled | True                                                                      |
| project_id            | 38c2a42d76d143f69f3c0cc037a43ec9                                          |
| qos_policy_id         | None                                                                      |
| revision_number       | 6                                                                         |
| security_group_ids    | 19b13e8f-b170-4b2b-baa4-b57c677c4dba                                      |
| status                | DOWN                                                                      |
| subnet_id             | None                                                                      |
| tags                  |                                                                           |
| trunk_details         | None                                                                      |
| updated_at            | 2019-02-06T19:51:36Z                                                      |
+-----------------------+---------------------------------------------------------------------------+
clean_up CreatePort: 
END return value: 0
~~~

Comment 4 Brian Haley 2019-02-07 16:33:29 UTC

So as expected, the error being returned is:

RESP BODY: {"NeutronError": {"message": "((rule:create_port and rule:create_port:port_security_enabled) and rule:create_port:binding:vnic_type) is disallowed by policy", "type": "PolicyNotAuthorized", "detail": ""}}

In one of the server logs I see this:

Enforcing rules: ['create_port', 'create_port:port_security_enabled', 'create_port:binding:vnic_type'] log_rule_list /usr/lib/python2.7/site-packages/neutron/policy.py:334
Failed policy check for 'create_port' enforce /usr/lib/python2.7/site-packages/neutron/policy.py:405

At first I thought '--vnic-type normal' was causing it, but I can't reproduce this on master, so perhaps it's something in OSP 13?

Comment 10 Nate Johnston 2019-03-01 21:30:45 UTC

David,

I cannot reproduce this.  Can you send me the policy.json for these hosts?  I need to see whether they differ from standard, and if so by how much.

Thanks,

Nate

Comment 21 Gabriel Diotte 2019-08-08 17:35:50 UTC

Hey Radomir!

I just wanted to follow up on this to see if any progress was made so that I may update the customer.

Thanks,
Gabriel

Comment 22 Radomir Dopieralski 2019-08-12 07:48:48 UTC

There has been no progress, we were working on other bugs.

Comment 48 Slawek Kaplonski 2021-06-07 10:13:52 UTC

*** Bug 1954046 has been marked as a duplicate of this bug. ***

Comment 72 Tommy Doucet 2022-05-13 12:10:23 UTC

Any update on this?

Comment 75 Radomir Dopieralski 2022-09-26 11:35:58 UTC

*** Bug 2129483 has been marked as a duplicate of this bug. ***

Comment 88 errata-xmlrpc 2023-01-25 12:28:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenStack Platform 17.0.1 bug fix and enhancement advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:0271