Bug 1400917 - router creation permission issue - 'neutron router-create' vs 'openstack router create' - inconsistent for _member_ role
Summary: router creation permission issue - 'neutron router-create' vs 'openstack rout...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: python-openstackclient
Version: 9.0 (Mitaka)
Hardware: All
OS: Linux
medium
medium
Target Milestone: async
: 9.0 (Mitaka)
Assignee: Assaf Muller
QA Contact: Toni Freger
URL:
Whiteboard:
Depends On:
Blocks: 1474259
TreeView+ depends on / blocked
 
Reported: 2016-12-02 10:02 UTC by VIKRANT
Modified: 2020-12-14 07:54 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause & Consequence: There are two issues 1) When "router_distributed=True" is set in neutron.conf, admin can't override with --distributed flag(can't create non-distributed router) 2) "openstack router create" for non-admin user failing, as openstack client is always passing "distributed" flag(with true/false) to server for even non-admin user. Fix: We allow centralized and distributed flags during router creation with this build. And also not passing "distributed" flag for non-admin user. Result: 1) Admin can create distributed and non-distributed routers through CLI flags with this change. 2) Non-admin user can create router with openstack client.
Clone Of:
: 1474259 (view as bug list)
Environment:
Last Closed: 2018-06-26 12:08:22 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1659020 0 None None None 2017-02-14 06:44:32 UTC
Launchpad 1664255 0 None None None 2017-02-14 06:44:04 UTC
Red Hat Knowledge Base (Solution) 2791251 0 None None None 2016-12-02 13:17:40 UTC

Description VIKRANT 2016-12-02 10:02:27 UTC 
Description of problem:
router creation permission issue - 'neutron router-create' vs 'openstack router create' - inconsistent for _member_ role

Version-Release number of selected component (if applicable):
RHEL OSP 9

How reproducible:
Everytime

Steps to Reproduce:

1. Able to create router using with default policy. Note : this is not a HA router. 

[heat-admin@overcloud-controller-0 keystonerc]$ neutron router-create test
Created a new router:
+-------------------------+--------------------------------------+
| Field                   | Value                                |
+-------------------------+--------------------------------------+
| admin_state_up          | True                                 |
| availability_zone_hints |                                      |
| availability_zones      |                                      |
| description             |                                      |
| external_gateway_info   |                                      |
| id                      | 3dadc0eb-dc5e-4203-a3d1-ace8c2bd6a75 |
| name                    | test                                 |
| routes                  |                                      |
| status                  | ACTIVE                               |
| tenant_id               | 0ed641d527e042f6a9eec4e2db290293     |
+-------------------------+--------------------------------------+

2. Not able to create router as same tenant using "openstack" command.

[heat-admin@overcloud-controller-0 keystonerc]$ openstack router create test1
HttpException: Forbidden


3.

Actual results:
It's not allowing us to create router using openstack command. 


Expected results:
It should allow us to create router using openstack command. 

Additional info:

Seeing this behaviour with default policy. 

~~~
[root@overcloud-controller-0 ~]# grep -i create_router /etc/neutron/policy.json 
    "create_router": "rule:regular_user",
    "create_router:external_gateway_info:enable_snat": "rule:admin_only",
    "create_router:distributed": "rule:admin_only",
    "create_router:ha": "rule:admin_only",
    "create_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
~~~
Comment 4 anil venkata 2017-02-14 06:46:31 UTC 
Reported https://bugs.launchpad.net/python-openstackclient/+bug/1664255 and https://bugs.launchpad.net/python-openstackclient/+bug/1659020 in u/s, and also corresponding changes 
https://review.openstack.org/#/c/433442/  (master)
https://review.openstack.org/#/c/433452/ (newton)
https://review.openstack.org/#/c/433457/ (mitaka)
Comment 9 anil venkata 2017-07-20 04:30:34 UTC 
@Ihar

In u/s, this backport https://review.openstack.org/#/c/433452/2 was not allowed with below reasons(i.e review comments),
1) The stable policy is even stricter for OSC than usual, critical bug fixes backported only.
2) That's definitely not a High impact issue. You always have access to neutronclient.


Do we follow the same for d/s also? i.e shall we go ahead and say we can't backport to osc and use neutronclient in this case?
or can we backport that to d/s osp9?

thanks
Anil
Comment 10 Ihar Hrachyshka 2017-07-21 14:35:49 UTC 
Anil, upstream rules should not define what we can do for OSP. Yes, we can backport the patch in OSP.
Comment 11 anil venkata 2017-07-21 16:06:13 UTC 
Thanks Ihar. I will backport in d/s. 

Thanks
Anil
Comment 12 anil venkata 2017-08-10 11:30:39 UTC 
Build python-openstackclient-2.3.1-2.el7ost created with the fix.
Comment 13 Julie Pichon 2017-08-31 13:31:35 UTC 
Moving back to ON_DEV as the OSP9 backport introduces a regression and needs to be reworked a bit. I left a comment on the review. Thanks!
Comment 14 anil venkata 2018-06-26 07:30:15 UTC 
https://code.engineering.redhat.com/gerrit/#/c/113270/ reverted. Need a fresh backport. But I feel its not worthy for developer to spend time on backporting to d/w OSC as discussed in comment 9( backporting is not allowed in u/s).
Comment 15 Assaf Muller 2018-06-26 12:08:22 UTC 
The severity of the bug does not align with the support policy for OSP 9. I am closing this bug.
Note You need to log in before you can comment on or make changes to this bug.