Hello, I have Packstack 10 environment, attaching policy.json file which is used to restrict network related activity to admin users only. By configuring this policy rules, regular users cannot create/delete/update network, routers. However, a regular user can still set or clear the gateway of the router. ~~~ [root@packstack10 ~(keystone_admin)]# cat rahulrc unset OS_SERVICE_TOKEN export OS_USERNAME=rahul export OS_PASSWORD=rahul123 export OS_AUTH_URL=http://192.168.122.10:5000/v2.0 export PS1='[\u@\h \W(rahul)]\$ ' export OS_TENANT_NAME=admin export OS_REGION_NAME=RegionOne [root@packstack10 ~(keystone_admin)]# source rahulrc [root@packstack10 ~(rahul)]# neutron --debug router-gateway-set router1 public DEBUG: stevedore.extension found extension EntryPoint.parse('v2token = keystoneauth1.loading._plugins.identity.v2:Token') DEBUG: stevedore.extension found extension EntryPoint.parse('v3oauth1 = keystoneauth1.extras.oauth1._loading:V3OAuth1') DEBUG: stevedore.extension found extension EntryPoint.parse('admin_token = keystoneauth1.loading._plugins.admin_token:AdminToken') DEBUG: stevedore.extension found extension EntryPoint.parse('v3oidcauthcode = keystoneauth1.loading._plugins.identity.v3:OpenIDConnectAuthorizationCode') DEBUG: stevedore.extension found extension EntryPoint.parse('v2password = keystoneauth1.loading._plugins.identity.v2:Password') DEBUG: stevedore.extension found extension EntryPoint.parse('v3samlpassword = keystoneauth1.extras._saml2._loading:Saml2Password') DEBUG: stevedore.extension found extension EntryPoint.parse('v3password = keystoneauth1.loading._plugins.identity.v3:Password') DEBUG: stevedore.extension found extension EntryPoint.parse('v3oidcaccesstoken = keystoneauth1.loading._plugins.identity.v3:OpenIDConnectAccessToken') DEBUG: stevedore.extension found extension EntryPoint.parse('v3oidcpassword = keystoneauth1.loading._plugins.identity.v3:OpenIDConnectPassword') DEBUG: stevedore.extension found extension EntryPoint.parse('v3kerberos = keystoneauth1.extras.kerberos._loading:Kerberos') DEBUG: stevedore.extension found extension EntryPoint.parse('token = keystoneauth1.loading._plugins.identity.generic:Token') DEBUG: stevedore.extension found extension EntryPoint.parse('v3oidcclientcredentials = keystoneauth1.loading._plugins.identity.v3:OpenIDConnectClientCredentials') DEBUG: stevedore.extension found extension EntryPoint.parse('v3tokenlessauth = keystoneauth1.loading._plugins.identity.v3:TokenlessAuth') DEBUG: stevedore.extension found extension EntryPoint.parse('v3token = keystoneauth1.loading._plugins.identity.v3:Token') DEBUG: stevedore.extension found extension EntryPoint.parse('v3totp = keystoneauth1.loading._plugins.identity.v3:TOTP') DEBUG: stevedore.extension found extension EntryPoint.parse('password = keystoneauth1.loading._plugins.identity.generic:Password') DEBUG: stevedore.extension found extension EntryPoint.parse('v3fedkerb = keystoneauth1.extras.kerberos._loading:MappedKerberos') DEBUG: stevedore.extension found extension EntryPoint.parse('gnocchi-basic = gnocchiclient.auth:GnocchiBasicLoader') DEBUG: stevedore.extension found extension EntryPoint.parse('gnocchi-noauth = gnocchiclient.auth:GnocchiNoAuthLoader') DEBUG: stevedore.extension found extension EntryPoint.parse('token_endpoint = openstackclient.api.auth_plugin:TokenEndpoint') DEBUG: stevedore.extension found extension EntryPoint.parse('aodh-noauth = aodhclient.noauth:AodhNoAuthLoader') DEBUG: neutronclient.neutron.v2_0.router.SetGatewayRouter run(Namespace(disable_snat=False, enable_snat=False, external_network=u'public', fixed_ip=None, request_format='json', router=u'router1')) DEBUG: keystoneauth.session REQ: curl -g -i -X GET http://192.168.122.10:5000/v2.0 -H "Accept: application/json" -H "User-Agent: neutron keystoneauth1/2.12.3 python-requests/2.11.1 CPython/2.7.5" DEBUG: keystoneauth.session RESP: [200] Date: Thu, 05 Apr 2018 05:03:29 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) Vary: X-Auth-Token,Accept-Encoding x-openstack-request-id: req-aecb21f2-1d6f-4344-9e15-a69448e69cb6 Content-Encoding: gzip Content-Length: 232 Connection: close Content-Type: application/json RESP BODY: {"version": {"status": "deprecated", "updated": "2016-08-04T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}], "id": "v2.0", "links": [{"href": "http://192.168.122.10:5000/v2.0/", "rel": "self"}, {"href": "http://docs.openstack.org/", "type": "text/html", "rel": "describedby"}]}} DEBUG: keystoneauth.identity.v2 Making authentication request to http://192.168.122.10:5000/v2.0/tokens DEBUG: keystoneauth.session REQ: curl -g -i -X GET http://192.168.122.10:9696/v2.0/routers.json?fields=id&name=router1 -H "User-Agent: python-neutronclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}89a2316ceac44261dddfbb975cfeb355fd5e5fa9" DEBUG: keystoneauth.session RESP: [200] Content-Type: application/json Content-Length: 61 X-Openstack-Request-Id: req-a8f24b3a-7b44-47ef-affb-af3f41e2fcd9 Date: Thu, 05 Apr 2018 05:03:30 GMT Connection: keep-alive RESP BODY: {"routers": [{"id": "cb3b3ff0-0786-4eb3-84cc-1eaf5601cd79"}]} DEBUG: neutronclient.v2_0.client GET call to neutron for http://192.168.122.10:9696/v2.0/routers.json?fields=id&name=router1 used request id req-a8f24b3a-7b44-47ef-affb-af3f41e2fcd9 DEBUG: keystoneauth.session REQ: curl -g -i -X GET http://192.168.122.10:9696/v2.0/networks.json?fields=id&name=public -H "User-Agent: python-neutronclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}89a2316ceac44261dddfbb975cfeb355fd5e5fa9" DEBUG: keystoneauth.session RESP: [200] Content-Type: application/json Content-Length: 62 X-Openstack-Request-Id: req-e4e2f421-d526-4553-84cb-dbee45c99081 Date: Thu, 05 Apr 2018 05:03:30 GMT Connection: keep-alive RESP BODY: {"networks": [{"id": "c75b3b98-d248-4054-9be0-241dcf613300"}]} DEBUG: neutronclient.v2_0.client GET call to neutron for http://192.168.122.10:9696/v2.0/networks.json?fields=id&name=public used request id req-e4e2f421-d526-4553-84cb-dbee45c99081 DEBUG: keystoneauth.session REQ: curl -g -i -X PUT http://192.168.122.10:9696/v2.0/routers/cb3b3ff0-0786-4eb3-84cc-1eaf5601cd79.json -H "User-Agent: python-neutronclient" -H "Content-Type: application/json" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}89a2316ceac44261dddfbb975cfeb355fd5e5fa9" -d '{"router": {"external_gateway_info": {"network_id": "c75b3b98-d248-4054-9be0-241dcf613300"}}}' DEBUG: keystoneauth.session RESP: [200] Content-Type: application/json Content-Length: 648 X-Openstack-Request-Id: req-f0446eb7-4d3d-401e-b8f6-a24f6cb747e9 Date: Thu, 05 Apr 2018 05:03:31 GMT Connection: keep-alive RESP BODY: {"router": {"status": "ACTIVE", "external_gateway_info": {"network_id": "c75b3b98-d248-4054-9be0-241dcf613300", "enable_snat": true, "external_fixed_ips": [{"subnet_id": "d9b99f0c-9a33-4950-96cb-5dc2c656d39a", "ip_address": "192.168.122.132"}]}, "availability_zone_hints": [], "availability_zones": ["nova"], "description": "", "admin_state_up": true, "tenant_id": "154e7c26be4f4c8eb00864031b15851b", "created_at": "2018-03-22T08:36:13Z", "updated_at": "2018-04-05T05:03:31Z", "flavor_id": null, "revision_number": 39, "routes": [], "project_id": "154e7c26be4f4c8eb00864031b15851b", "id": "cb3b3ff0-0786-4eb3-84cc-1eaf5601cd79", "name": "router1"}} DEBUG: neutronclient.v2_0.client PUT call to neutron for http://192.168.122.10:9696/v2.0/routers/cb3b3ff0-0786-4eb3-84cc-1eaf5601cd79.json used request id req-f0446eb7-4d3d-401e-b8f6-a24f6cb747e9 Set gateway for router router1 [root@packstack10 ~(rahul)]# neutron --debug router-gateway-clear router1 public DEBUG: stevedore.extension found extension EntryPoint.parse('v2token = keystoneauth1.loading._plugins.identity.v2:Token') DEBUG: stevedore.extension found extension EntryPoint.parse('v3oauth1 = keystoneauth1.extras.oauth1._loading:V3OAuth1') DEBUG: stevedore.extension found extension EntryPoint.parse('admin_token = keystoneauth1.loading._plugins.admin_token:AdminToken') DEBUG: stevedore.extension found extension EntryPoint.parse('v3oidcauthcode = keystoneauth1.loading._plugins.identity.v3:OpenIDConnectAuthorizationCode') DEBUG: stevedore.extension found extension EntryPoint.parse('v2password = keystoneauth1.loading._plugins.identity.v2:Password') DEBUG: stevedore.extension found extension EntryPoint.parse('v3samlpassword = keystoneauth1.extras._saml2._loading:Saml2Password') DEBUG: stevedore.extension found extension EntryPoint.parse('v3password = keystoneauth1.loading._plugins.identity.v3:Password') DEBUG: stevedore.extension found extension EntryPoint.parse('v3oidcaccesstoken = keystoneauth1.loading._plugins.identity.v3:OpenIDConnectAccessToken') DEBUG: stevedore.extension found extension EntryPoint.parse('v3oidcpassword = keystoneauth1.loading._plugins.identity.v3:OpenIDConnectPassword') DEBUG: stevedore.extension found extension EntryPoint.parse('v3kerberos = keystoneauth1.extras.kerberos._loading:Kerberos') DEBUG: stevedore.extension found extension EntryPoint.parse('token = keystoneauth1.loading._plugins.identity.generic:Token') DEBUG: stevedore.extension found extension EntryPoint.parse('v3oidcclientcredentials = keystoneauth1.loading._plugins.identity.v3:OpenIDConnectClientCredentials') DEBUG: stevedore.extension found extension EntryPoint.parse('v3tokenlessauth = keystoneauth1.loading._plugins.identity.v3:TokenlessAuth') DEBUG: stevedore.extension found extension EntryPoint.parse('v3token = keystoneauth1.loading._plugins.identity.v3:Token') DEBUG: stevedore.extension found extension EntryPoint.parse('v3totp = keystoneauth1.loading._plugins.identity.v3:TOTP') DEBUG: stevedore.extension found extension EntryPoint.parse('password = keystoneauth1.loading._plugins.identity.generic:Password') DEBUG: stevedore.extension found extension EntryPoint.parse('v3fedkerb = keystoneauth1.extras.kerberos._loading:MappedKerberos') DEBUG: stevedore.extension found extension EntryPoint.parse('gnocchi-basic = gnocchiclient.auth:GnocchiBasicLoader') DEBUG: stevedore.extension found extension EntryPoint.parse('gnocchi-noauth = gnocchiclient.auth:GnocchiNoAuthLoader') DEBUG: stevedore.extension found extension EntryPoint.parse('token_endpoint = openstackclient.api.auth_plugin:TokenEndpoint') DEBUG: stevedore.extension found extension EntryPoint.parse('aodh-noauth = aodhclient.noauth:AodhNoAuthLoader') DEBUG: neutronclient.neutron.v2_0.router.RemoveGatewayRouter run(Namespace(request_format='json', router=u'router1')) DEBUG: keystoneauth.session REQ: curl -g -i -X GET http://192.168.122.10:5000/v2.0 -H "Accept: application/json" -H "User-Agent: neutron keystoneauth1/2.12.3 python-requests/2.11.1 CPython/2.7.5" DEBUG: keystoneauth.session RESP: [200] Date: Thu, 05 Apr 2018 05:04:30 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) Vary: X-Auth-Token,Accept-Encoding x-openstack-request-id: req-aeb7d21c-6cac-4d65-a404-0da06b23213d Content-Encoding: gzip Content-Length: 232 Connection: close Content-Type: application/json RESP BODY: {"version": {"status": "deprecated", "updated": "2016-08-04T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}], "id": "v2.0", "links": [{"href": "http://192.168.122.10:5000/v2.0/", "rel": "self"}, {"href": "http://docs.openstack.org/", "type": "text/html", "rel": "describedby"}]}} DEBUG: keystoneauth.identity.v2 Making authentication request to http://192.168.122.10:5000/v2.0/tokens DEBUG: keystoneauth.session REQ: curl -g -i -X GET http://192.168.122.10:9696/v2.0/routers.json?fields=id&name=router1 -H "User-Agent: python-neutronclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}03b0a59527a06dcffcd3db8c5ced4b662bddb6d6" DEBUG: keystoneauth.session RESP: [200] Content-Type: application/json Content-Length: 61 X-Openstack-Request-Id: req-ede3e9e3-81ab-4d5f-97e0-14130dfc872b Date: Thu, 05 Apr 2018 05:04:30 GMT Connection: keep-alive RESP BODY: {"routers": [{"id": "cb3b3ff0-0786-4eb3-84cc-1eaf5601cd79"}]} DEBUG: neutronclient.v2_0.client GET call to neutron for http://192.168.122.10:9696/v2.0/routers.json?fields=id&name=router1 used request id req-ede3e9e3-81ab-4d5f-97e0-14130dfc872b DEBUG: keystoneauth.session REQ: curl -g -i -X PUT http://192.168.122.10:9696/v2.0/routers/cb3b3ff0-0786-4eb3-84cc-1eaf5601cd79.json -H "User-Agent: python-neutronclient" -H "Content-Type: application/json" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}03b0a59527a06dcffcd3db8c5ced4b662bddb6d6" -d '{"router": {"external_gateway_info": {}}}' DEBUG: keystoneauth.session RESP: [200] Content-Type: application/json Content-Length: 465 X-Openstack-Request-Id: req-9bccbdc3-e6f3-41e2-99af-501c5b5ed77a Date: Thu, 05 Apr 2018 05:04:32 GMT Connection: keep-alive RESP BODY: {"router": {"status": "ACTIVE", "external_gateway_info": null, "availability_zone_hints": [], "availability_zones": ["nova"], "description": "", "admin_state_up": true, "tenant_id": "154e7c26be4f4c8eb00864031b15851b", "created_at": "2018-03-22T08:36:13Z", "updated_at": "2018-04-05T05:04:31Z", "flavor_id": null, "revision_number": 42, "routes": [], "project_id": "154e7c26be4f4c8eb00864031b15851b", "id": "cb3b3ff0-0786-4eb3-84cc-1eaf5601cd79", "name": "router1"}} DEBUG: neutronclient.v2_0.client PUT call to neutron for http://192.168.122.10:9696/v2.0/routers/cb3b3ff0-0786-4eb3-84cc-1eaf5601cd79.json used request id req-9bccbdc3-e6f3-41e2-99af-501c5b5ed77a Removed gateway from router router1 ~~~ Is there any other policy rule I need to configure to restrict this?
You should add this entry to policy.json to restrict updating of routers to admin-only: "update_router": "rule:admin_only" I tried that locally and it worked. Later versions have an "admin_or_owner" entry for update router that maybe would have made that more obvious.
Please update bug once customer has had a chance to test this, thanks.
Brian++ Thank you, customer has tested and confirmed that the provided solution is working. Regards, Rahul Chincholkar