Description of problem: Getting 404 error when I when try to create Cloud Network from CloudForms when OSP added with none admin user. It look like CloudForms is trying to create provider network as it suppose to be tenant network. [----] E, [2017-05-17T11:02:00.401605 #32295:d8d13c] ERROR -- : excon.error #<Excon::Error::Forbidden: Expected([201]) <=> Actual(403 Forbidden) excon.error.response :body => "{\"NeutronError\": {\"message\": \"(rule:create_network and rule:create_network:provider:network_type) on {'router:external': False, 'availability_zone_hints': [], u'name': u'cfme-net', 'provid er:physical_network': <neutron_lib.constants.Sentinel object at 0x282c150>, u'admin_state_up': True, 'tenant_id': u'69bd99b72a884732862814b42225001d', 'segments': <neutron_lib.constants.Sentinel object at 0x282c150 >, 'provider:segmentation_id': <neutron_lib.constants.Sentinel object at 0x282c150>, u'provider:network_type': u'local', 'is_default': False, 'qos_policy_id': None, 'port_security_enabled': True, u'shared': False, 'project_id': u'69bd99b72a884732862814b42225001d', 'description': ''} by {'domain': None, 'project_name': u'cfme-project', 'tenant_name': u'cfme-project', 'project_domain': None, 'timestamp': '2017-05-17 16:09:20.5 40895', 'auth_token': '389637cfa3d34820af3277f3d08adeca', 'resource_uuid': None, 'is_admin': False, 'user': u'c75eca84b1c94297a00a3535a1e4ca8a', 'tenant': u'69bd99b72a884732862814b42225001d', 'read_only': False, 'p roject_id': u'69bd99b72a884732862814b42225001d', 'user_id': u'c75eca84b1c94297a00a3535a1e4ca8a', 'show_deleted': False, 'roles': [u'_member_'], 'user_identity': u'c75eca84b1c94297a00a3535a1e4ca8a 69bd99b72a88473286 2814b42225001d - - -', 'tenant_id': u'69bd99b72a884732862814b42225001d', 'is_admin_project': True, 'request_id': 'req-ff982484-04ca-4e4a-8e54-d4e04fda59a5', 'user_domain': None, 'user_name': u'cfme'} disallowed by policy\", \"type\": \"PolicyNotAuthorized\", \"detail\": \"\"}}" :cookies => [ ] :headers => { "Content-Length" => "1526" "Content-Type" => "application/json" "Date" => "Wed, 17 May 2017 16:09:20 GMT" "X-Openstack-Request-Id" => "req-ff982484-04ca-4e4a-8e54-d4e04fda59a5" } :host => "10.10.192.31" :local_address => "10.10.181.44" :local_port => 37754 :path => "/v2.0/networks" :port => 9696 :reason_phrase => "Forbidden" :remote_ip => "10.10.192.31" :status => 403 :status_line => "HTTP/1.1 403 Forbidden\r\n" > Version-Release number of selected component (if applicable): 4.2 How reproducible: Steps to Reproduce: 1. Add OSP provider to cloudforms with none admin user 2. create cloud network 3. Actual results: 404 error Expected results: Additional info:
A Tenant cannot create an external router without being granted admin privileges, please see [1] for more details. Also and maybe more importantly, the Openstack network provider requires an admin user to be able to operate, effectively all operations are executed by the admin on the behalf of a tenant (placement). So I don't see how a Tenant without admin privileges can create a network (whether external or not). [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/4/html/Installation_and_Configuration_Guide/Configuring_a_Provider_Network1.html
Hi Gilles, The normal users could create tenant(internal) network without admin privilege in openstack for example: # neutron net-create net1 But the following will result in a 403 Forbidden error for normal users. # neutron net-create net1 --provider:network_type vxlan (That --provider:network_type doesn't indicate net1 must be provider network.) I assume CloudForms thought --provider:network_type is a mandatory option (which I can see in UI) when creating network. But I agree that a privilege user should be used when adding the provider. So for this case, do you think it made any sense that we could improve the UI to make the --provider:network_type an unnecessary option ? Best Regards, Chen
Hi Chen, Sorry I was focusing on the external network case. I'm investigating now and will get back to you shortly. Regards, Gilles
Hi Chen, From Could you please provide: - The OSP version you're testing with - How was the user/tenant(project) created and any post intall setup done on OSP. - The authentication details used for CF when adding cloud provider using Keystone V3 or V2.0 and other options, such as tenant mapping and user. - Are you using admin user on CF? Thanks
Hi Chen, I can see the issue while simply using Keystone V2.0. therefore just ignore my previous message in #comment7. You're right, providing the provider-type blocks the network to be created when the user is not admin. But even when the provider-type is not passed it holds an empty value which blocks fog-openstack. I'm going to clone this BZ to be able to attach a patch against ManageIQ master branch, the latter to be backported here.
PR: https://github.com/ManageIQ/manageiq-ui-classic/pull/1411
This has been fixed and merged upstream
Verified ======== 5.9.0.17