Bug 1722242
| Summary: | [neutron][RBAC] User is not allowed to create port with fixed IP on shared network via RBAC | |||
|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Mauro Oddi <moddi> | |
| Component: | openstack-neutron | Assignee: | Slawek Kaplonski <skaplons> | |
| Status: | CLOSED ERRATA | QA Contact: | Eran Kuris <ekuris> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | high | |||
| Version: | 14.0 (Rocky) | CC: | amuller, ccamposr, chrisw, madhusudan-h.kulkarni, njohnston, pmorey, scohen, skaplons | |
| Target Milestone: | --- | Keywords: | Triaged, ZStream | |
| Target Release: | --- | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | openstack-neutron-13.0.4-0.20190508213445.de95bc6.el7ost | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1753118 (view as bug list) | Environment: | ||
| Last Closed: | 2019-11-06 16:50:27 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1753118 | |||
I have prepared hot fix locally. I applied it on test env and checked that it works as expected. If hot fix request will be approved I can provide it here as attachment. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3750 Is it solved? I have RHOSP 16.2 and facing this issue. |
Description of problem: When a network is shared via RBAC between two tenants and the neutron policy is modified to allow adding ports with fixed IPs to shared networks, still the policy is not honoured and the port creation fails. Version-Release number of selected component (if applicable): Rocky - RHOSP14 python-neutron-lbaas-13.0.1-0.20181017150329.1353bad.el7ost.noarch openstack-neutron-fwaas-13.0.2-0.20190123183836.90951a5.el7ost.noarch python-neutron-fwaas-13.0.2-0.20190123183836.90951a5.el7ost.noarch openstack-neutron-13.0.3-0.20190313155649.00b63be.el7ost.noarch python2-neutronclient-6.9.1-0.20180925041810.7eba94e.el7ost.noarch openstack-neutron-common-13.0.3-0.20190313155649.00b63be.el7ost.noarch openstack-neutron-ml2-13.0.3-0.20190313155649.00b63be.el7ost.noarch puppet-neutron-13.3.2-0.20190214000933.2246751.el7ost.noarch python-neutron-13.0.3-0.20190313155649.00b63be.el7ost.noarch openstack-neutron-lbaas-13.0.1-0.20181017150329.1353bad.el7ost.noarch python2-neutron-lib-1.18.0-0.20180816094046.67865c7.el7ost.noarch How reproducible: always Steps to Reproduce: 1. Create tenant1 with user1 and tenant2 with user 2, assign testrole to both 2, Change the default policy.json to allow creation of ports with fixed IP address in a shared network: ()[root@controller-2 /]# diff /etc/neutron/policy.json /etc/neutron/policy.json.bkp 78c78 < "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared", --- > "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner", 3. As user1 create a network and share it via RBAC to tenant2: user1 (overcloud) [stack@undercloud-0 ~]$ openstack network create rbacnet1 +---------------------------+--------------------------------------+ | Field | Value | +---------------------------+--------------------------------------+ | admin_state_up | UP | | availability_zone_hints | | | availability_zones | | | created_at | 2019-06-19T18:01:01Z | | description | | | dns_domain | None | | id | 8961329b-08a2-4c7c-88cf-b5cca43ca678 | | ipv4_address_scope | None | | ipv6_address_scope | None | | is_default | False | | is_vlan_transparent | None | | mtu | 1450 | | name | rbacnet1 | | port_security_enabled | True | | project_id | 4ff7e3db6d64429db1b39f993bb99411 | | provider:network_type | None | | provider:physical_network | None | | provider:segmentation_id | None | | qos_policy_id | None | | revision_number | 2 | | router:external | Internal | | segments | None | | shared | False | | status | ACTIVE | | subnets | | | tags | | | updated_at | 2019-06-19T18:01:02Z | +---------------------------+--------------------------------------+ user1 (overcloud) [stack@undercloud-0 ~]$ openstack network list +--------------------------------------+----------+--------------------------------------+ | ID | Name | Subnets | +--------------------------------------+----------+--------------------------------------+ | 8961329b-08a2-4c7c-88cf-b5cca43ca678 | rbacnet1 | | | d6540930-acb2-48f9-8451-da3c5c7622aa | public | 2b59541a-8e12-499f-88d6-7c79c56fcfe9 | +--------------------------------------+----------+--------------------------------------+ user1 (overcloud) [stack@undercloud-0 ~]$ openstack network rbac create --type network --action access_as_shared --target-project ba08ccc271614bf1add0902f73690bac rbacnet1 +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | action | access_as_shared | | id | e377033b-f374-4fd5-8015-9a7426681d7e | | name | None | | object_id | 8961329b-08a2-4c7c-88cf-b5cca43ca678 | | object_type | network | | project_id | 4ff7e3db6d64429db1b39f993bb99411 | | target_project_id | ba08ccc271614bf1add0902f73690bac | +-------------------+--------------------------------------+ user1 (overcloud) [stack@undercloud-0 ~]$ openstack subnet create --network rbacnet1 --subnet-range 10.0.100.0/24 --dhcp rbacsubnet1 +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | allocation_pools | 10.0.100.2-10.0.100.254 | | cidr | 10.0.100.0/24 | | created_at | 2019-06-19T18:10:50Z | | description | | | dns_nameservers | | | enable_dhcp | True | | gateway_ip | 10.0.100.1 | | host_routes | | | id | c00f565b-e4eb-4bf5-852c-8a22b95911fa | | ip_version | 4 | | ipv6_address_mode | None | | ipv6_ra_mode | None | | name | rbacsubnet1 | | network_id | 8961329b-08a2-4c7c-88cf-b5cca43ca678 | | project_id | 4ff7e3db6d64429db1b39f993bb99411 | | revision_number | 0 | | segment_id | None | | service_types | | | subnetpool_id | None | | tags | | | updated_at | 2019-06-19T18:10:50Z | +-------------------+--------------------------------------+ 4. As user2 try to create a port with a fixed IP user2 (overcloud) [stack@undercloud-0 ~]$ . user2_rc user2 (overcloud) [stack@undercloud-0 ~]$ openstack network list +--------------------------------------+----------+--------------------------------------+ | ID | Name | Subnets | +--------------------------------------+----------+--------------------------------------+ | 8961329b-08a2-4c7c-88cf-b5cca43ca678 | rbacnet1 | c00f565b-e4eb-4bf5-852c-8a22b95911fa | | d6540930-acb2-48f9-8451-da3c5c7622aa | public | 2b59541a-8e12-499f-88d6-7c79c56fcfe9 | +--------------------------------------+----------+--------------------------------------+ user2 (overcloud) [stack@undercloud-0 ~]$ openstack network show rbacnet1 | grep shared | shared | True | user2 (overcloud) [stack@undercloud-0 ~]$ openstack port create portx10 --network rbacnet1 --fixed-ip subnet=rbacsubnet1,ip-address=10.0.100.123 HttpException: 403: Client Error for url: http://10.0.0.112:9696/v2.0/ports, {"NeutronError": {"message": "(rule:create_port and rule:create_port:fixed_ips) is disallowed by policy", "type": "PolicyNotAuthorized", "detail": ""}} 5. Creating the port without fixed IP works fine user2 (overcloud) [stack@undercloud-0 ~]$ openstack port create portx11 --network rbacnet1 +-----------------------+----------------------------------------------------------------------------+ | Field | Value | +-----------------------+----------------------------------------------------------------------------+ | admin_state_up | UP | | allowed_address_pairs | | | binding_host_id | None | | binding_profile | None | | binding_vif_details | None | | binding_vif_type | None | | binding_vnic_type | normal | | created_at | 2019-06-19T18:28:49Z | | data_plane_status | None | | description | | | device_id | | | device_owner | | | dns_assignment | None | | dns_domain | None | | dns_name | None | | extra_dhcp_opts | | | fixed_ips | ip_address='10.0.100.15', subnet_id='c00f565b-e4eb-4bf5-852c-8a22b95911fa' | | id | 7fe12e20-0e2c-4801-9742-da2eeef63f43 | | mac_address | fa:16:3e:99:6e:6b | | name | portx11 | | network_id | 8961329b-08a2-4c7c-88cf-b5cca43ca678 | | port_security_enabled | True | | project_id | ba08ccc271614bf1add0902f73690bac | | qos_policy_id | None | | revision_number | 2 | | security_group_ids | 063f4f88-24f8-442d-b1b4-d0f9e5bc4f9b | | status | DOWN | | tags | | | trunk_details | None | | updated_at | 2019-06-19T18:28:49Z | +-----------------------+----------------------------------------------------------------------------+ Expected result is that the port with fixed IP should be created following the policy. Even though rule:shared should be honoured, the policy is interpreted within an admin context where the network looks like shared = False. Actual results: The port creation is disallowed by policy Expected results: The port should be created successfully Additional info: Upstream bug: https://bugs.launchpad.net/neutron/+bug/1833455