1349442 – Restrict external network access to specific tenant

Bug 1349442 - Restrict external network access to specific tenant

Summary: Restrict external network access to specific tenant

Keywords:
Status:	CLOSED DUPLICATE of bug 1325676
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	RFEs
Sub Component:
Version:	8.0 (Liberty)
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	RHOS Maint
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-06-23 13:04 UTC by Pratik Pravin Bandarkar
Modified:	2019-12-16 05:59 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-12-20 19:09:31 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Pratik Pravin Bandarkar 2016-06-23 13:04:36 UTC

1. Proposed title of this feature request  
Restrict external access network to specific tenant

      
3. What is the nature and description of the request?  

 If there are multiple external networks created, all users from all tenants can add it as gateway to the router. 
For ex:
---->o---->o-----
# keystone tenant-list
+----------------------------------+----------+---------+
|                id                |   name   | enabled |
+----------------------------------+----------+---------+
| ea39022238084e03a02441451dbb0466 |  admin   |   True  |
| c4c4ec5d07af4ca8b79aed7f23624948 |   cee    |   True  |
+----------------------------------+----------+---------+

- Floating network created for "admin" tenant:
[root@rhos8 ~(keystone_admin)]# neutron net-show -F id -F name -F tenant_id -F router:external floating
+-----------------+--------------------------------------+
| Field           | Value                                |
+-----------------+--------------------------------------+
| id              | e3103400-2f9b-4a8f-85ba-56be31a3ff8b |
| name            | floating                             |
| router:external | True                                 |
| tenant_id       | ea39022238084e03a02441451dbb0466     |
+-----------------+--------------------------------------+

- `neutron net-list` output from "cee" tenant as "pbandark" user who is "_member_" of tenant.
[root@rhos8 ~(keystone_pbandark1)]# neutron net-list
+--------------------------------------+--------------+-------------------------------------------------------+
| id                                   | name         | subnets                                               |
+--------------------------------------+--------------+-------------------------------------------------------+
| b13d5470-f236-49a1-b7dd-bd897221e78b | cee_network  | 59bbedb3-b98f-4dcb-a966-6efc2349462a 192.168.150.0/24 |
| 3f525bb7-207b-4649-be42-76c45b58fdb9 | internal_cee | 6578521a-8656-4e31-9536-fd3c6673114c 192.168.20.0/24  |
| e3103400-2f9b-4a8f-85ba-56be31a3ff8b | floating     | 4af9c4a2-c853-4fb0-b033-2a8f57e41c4d                  |
+--------------------------------------+--------------+-------------------------------------------------------+

- created router for "cee" tenant:
[root@rhos8 ~(keystone_pbandark1)]# neutron router-create cee-router00
Created a new router:
+-----------------------+--------------------------------------+
| Field                 | Value                                |
+-----------------------+--------------------------------------+
| admin_state_up        | True                                 |
| external_gateway_info |                                      |
| id                    | 41c0d031-5b3b-4906-948d-9ba4e2594e7c |
| name                  | cee-router00                         |
| routes                |                                      |
| status                | ACTIVE                               |
| tenant_id             | c4c4ec5d07af4ca8b79aed7f23624948     |
+-----------------------+--------------------------------------+

- From "cee" tenant I am able to set "floating" external network as gateway:
[root@rhos8 ~(keystone_pbandark1)]# neutron router-gateway-set cee-router00 floating
Set gateway for router cee-router00


[root@rhos8 ~(keystone_pbandark1)]# neutron router-show -F external_gateway_info -F tenant_id cee-router00
+-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field                 | Value                                                                                                                                                                                      |
+-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| external_gateway_info | {"network_id": "e3103400-2f9b-4a8f-85ba-56be31a3ff8b", "enable_snat": true, "external_fixed_ips": [{"subnet_id": "4af9c4a2-c853-4fb0-b033-2a8f57e41c4d", "ip_address": "192.168.200.53"}]} |
| tenant_id             | c4c4ec5d07af4ca8b79aed7f23624948                                                                                                                                                           |
+-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+


[root@rhos8 ~(keystone_pbandark1)]# neutron router-interface-add cee-router00 6578521a-8656-4e31-9536-fd3c6673114c
Added interface a8e6a998-6778-47f7-ba8b-d6ea94fa9fb0 to router cee-router00.


[root@rhos8 ~(keystone_pbandark1)]# nova floating-ip-associate pbandark 192.168.200.54
[root@rhos8 ~(keystone_pbandark1)]# nova list
+--------------------------------------+----------+--------+------------+-------------+-------------------------------------------+
| ID                                   | Name     | Status | Task State | Power State | Networks                                  |
+--------------------------------------+----------+--------+------------+-------------+-------------------------------------------+
| 47fbdc29-48de-442c-8d97-bb6636a384d7 | pbandark | ACTIVE | -          | Running     | internal_cee=192.168.20.2, 192.168.200.54 | <== floating ip from network which was created only for admin tenant.
+--------------------------------------+----------+--------+------------+-------------+-------------------------------------------+
-----o<-----o<------

- restrict Restrict external access network to specific tenant. If external network is created for one tenant, other users/tenant should not able to access/see external network.

Comment 4 Nir Yechiel 2016-06-23 13:24:46 UTC

This looks like a duplicate of BZ 1325676 to me. Can you please review and confirm?

Comment 8 Sadique Puthen 2016-06-24 06:58:34 UTC

Does this help? https://access.redhat.com/solutions/2022533

Comment 11 Assaf Muller 2016-12-20 19:09:31 UTC


*** This bug has been marked as a duplicate of bug 1325676 ***

Note You need to log in before you can comment on or make changes to this bug.