Bug 1563928 - neutron policy for set or clear gateway of router
Summary: neutron policy for set or clear gateway of router
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-neutron
Version: 10.0 (Newton)
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Brian Haley
QA Contact: Toni Freger
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-05 05:10 UTC by Rahul Chincholkar
Modified: 2021-06-10 15:40 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-10 20:57:30 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Rahul Chincholkar 2018-04-05 05:10:40 UTC
Hello,

I have Packstack 10 environment, attaching policy.json file which is used to restrict network related activity to admin users only.
By configuring this policy rules, regular users cannot create/delete/update network, routers.
However, a regular user can still set or clear the gateway of the router.

~~~
[root@packstack10 ~(keystone_admin)]# cat rahulrc 
unset OS_SERVICE_TOKEN
    export OS_USERNAME=rahul
    export OS_PASSWORD=rahul123
    export OS_AUTH_URL=http://192.168.122.10:5000/v2.0
    export PS1='[\u@\h \W(rahul)]\$ '
    
export OS_TENANT_NAME=admin
export OS_REGION_NAME=RegionOne


[root@packstack10 ~(keystone_admin)]# source rahulrc 


[root@packstack10 ~(rahul)]# neutron --debug router-gateway-set router1 public
DEBUG: stevedore.extension found extension EntryPoint.parse('v2token = keystoneauth1.loading._plugins.identity.v2:Token')
DEBUG: stevedore.extension found extension EntryPoint.parse('v3oauth1 = keystoneauth1.extras.oauth1._loading:V3OAuth1')
DEBUG: stevedore.extension found extension EntryPoint.parse('admin_token = keystoneauth1.loading._plugins.admin_token:AdminToken')
DEBUG: stevedore.extension found extension EntryPoint.parse('v3oidcauthcode = keystoneauth1.loading._plugins.identity.v3:OpenIDConnectAuthorizationCode')
DEBUG: stevedore.extension found extension EntryPoint.parse('v2password = keystoneauth1.loading._plugins.identity.v2:Password')
DEBUG: stevedore.extension found extension EntryPoint.parse('v3samlpassword = keystoneauth1.extras._saml2._loading:Saml2Password')
DEBUG: stevedore.extension found extension EntryPoint.parse('v3password = keystoneauth1.loading._plugins.identity.v3:Password')
DEBUG: stevedore.extension found extension EntryPoint.parse('v3oidcaccesstoken = keystoneauth1.loading._plugins.identity.v3:OpenIDConnectAccessToken')
DEBUG: stevedore.extension found extension EntryPoint.parse('v3oidcpassword = keystoneauth1.loading._plugins.identity.v3:OpenIDConnectPassword')
DEBUG: stevedore.extension found extension EntryPoint.parse('v3kerberos = keystoneauth1.extras.kerberos._loading:Kerberos')
DEBUG: stevedore.extension found extension EntryPoint.parse('token = keystoneauth1.loading._plugins.identity.generic:Token')
DEBUG: stevedore.extension found extension EntryPoint.parse('v3oidcclientcredentials = keystoneauth1.loading._plugins.identity.v3:OpenIDConnectClientCredentials')
DEBUG: stevedore.extension found extension EntryPoint.parse('v3tokenlessauth = keystoneauth1.loading._plugins.identity.v3:TokenlessAuth')
DEBUG: stevedore.extension found extension EntryPoint.parse('v3token = keystoneauth1.loading._plugins.identity.v3:Token')
DEBUG: stevedore.extension found extension EntryPoint.parse('v3totp = keystoneauth1.loading._plugins.identity.v3:TOTP')
DEBUG: stevedore.extension found extension EntryPoint.parse('password = keystoneauth1.loading._plugins.identity.generic:Password')
DEBUG: stevedore.extension found extension EntryPoint.parse('v3fedkerb = keystoneauth1.extras.kerberos._loading:MappedKerberos')
DEBUG: stevedore.extension found extension EntryPoint.parse('gnocchi-basic = gnocchiclient.auth:GnocchiBasicLoader')
DEBUG: stevedore.extension found extension EntryPoint.parse('gnocchi-noauth = gnocchiclient.auth:GnocchiNoAuthLoader')
DEBUG: stevedore.extension found extension EntryPoint.parse('token_endpoint = openstackclient.api.auth_plugin:TokenEndpoint')
DEBUG: stevedore.extension found extension EntryPoint.parse('aodh-noauth = aodhclient.noauth:AodhNoAuthLoader')
DEBUG: neutronclient.neutron.v2_0.router.SetGatewayRouter run(Namespace(disable_snat=False, enable_snat=False, external_network=u'public', fixed_ip=None, request_format='json', router=u'router1'))
DEBUG: keystoneauth.session REQ: curl -g -i -X GET http://192.168.122.10:5000/v2.0 -H "Accept: application/json" -H "User-Agent: neutron keystoneauth1/2.12.3 python-requests/2.11.1 CPython/2.7.5"
DEBUG: keystoneauth.session RESP: [200] Date: Thu, 05 Apr 2018 05:03:29 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) Vary: X-Auth-Token,Accept-Encoding x-openstack-request-id: req-aecb21f2-1d6f-4344-9e15-a69448e69cb6 Content-Encoding: gzip Content-Length: 232 Connection: close Content-Type: application/json 
RESP BODY: {"version": {"status": "deprecated", "updated": "2016-08-04T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}], "id": "v2.0", "links": [{"href": "http://192.168.122.10:5000/v2.0/", "rel": "self"}, {"href": "http://docs.openstack.org/", "type": "text/html", "rel": "describedby"}]}}

DEBUG: keystoneauth.identity.v2 Making authentication request to http://192.168.122.10:5000/v2.0/tokens
DEBUG: keystoneauth.session REQ: curl -g -i -X GET http://192.168.122.10:9696/v2.0/routers.json?fields=id&name=router1 -H "User-Agent: python-neutronclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}89a2316ceac44261dddfbb975cfeb355fd5e5fa9"
DEBUG: keystoneauth.session RESP: [200] Content-Type: application/json Content-Length: 61 X-Openstack-Request-Id: req-a8f24b3a-7b44-47ef-affb-af3f41e2fcd9 Date: Thu, 05 Apr 2018 05:03:30 GMT Connection: keep-alive 
RESP BODY: {"routers": [{"id": "cb3b3ff0-0786-4eb3-84cc-1eaf5601cd79"}]}

DEBUG: neutronclient.v2_0.client GET call to neutron for http://192.168.122.10:9696/v2.0/routers.json?fields=id&name=router1 used request id req-a8f24b3a-7b44-47ef-affb-af3f41e2fcd9
DEBUG: keystoneauth.session REQ: curl -g -i -X GET http://192.168.122.10:9696/v2.0/networks.json?fields=id&name=public -H "User-Agent: python-neutronclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}89a2316ceac44261dddfbb975cfeb355fd5e5fa9"
DEBUG: keystoneauth.session RESP: [200] Content-Type: application/json Content-Length: 62 X-Openstack-Request-Id: req-e4e2f421-d526-4553-84cb-dbee45c99081 Date: Thu, 05 Apr 2018 05:03:30 GMT Connection: keep-alive 
RESP BODY: {"networks": [{"id": "c75b3b98-d248-4054-9be0-241dcf613300"}]}

DEBUG: neutronclient.v2_0.client GET call to neutron for http://192.168.122.10:9696/v2.0/networks.json?fields=id&name=public used request id req-e4e2f421-d526-4553-84cb-dbee45c99081
DEBUG: keystoneauth.session REQ: curl -g -i -X PUT http://192.168.122.10:9696/v2.0/routers/cb3b3ff0-0786-4eb3-84cc-1eaf5601cd79.json -H "User-Agent: python-neutronclient" -H "Content-Type: application/json" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}89a2316ceac44261dddfbb975cfeb355fd5e5fa9" -d '{"router": {"external_gateway_info": {"network_id": "c75b3b98-d248-4054-9be0-241dcf613300"}}}'
DEBUG: keystoneauth.session RESP: [200] Content-Type: application/json Content-Length: 648 X-Openstack-Request-Id: req-f0446eb7-4d3d-401e-b8f6-a24f6cb747e9 Date: Thu, 05 Apr 2018 05:03:31 GMT Connection: keep-alive 
RESP BODY: {"router": {"status": "ACTIVE", "external_gateway_info": {"network_id": "c75b3b98-d248-4054-9be0-241dcf613300", "enable_snat": true, "external_fixed_ips": [{"subnet_id": "d9b99f0c-9a33-4950-96cb-5dc2c656d39a", "ip_address": "192.168.122.132"}]}, "availability_zone_hints": [], "availability_zones": ["nova"], "description": "", "admin_state_up": true, "tenant_id": "154e7c26be4f4c8eb00864031b15851b", "created_at": "2018-03-22T08:36:13Z", "updated_at": "2018-04-05T05:03:31Z", "flavor_id": null, "revision_number": 39, "routes": [], "project_id": "154e7c26be4f4c8eb00864031b15851b", "id": "cb3b3ff0-0786-4eb3-84cc-1eaf5601cd79", "name": "router1"}}

DEBUG: neutronclient.v2_0.client PUT call to neutron for http://192.168.122.10:9696/v2.0/routers/cb3b3ff0-0786-4eb3-84cc-1eaf5601cd79.json used request id req-f0446eb7-4d3d-401e-b8f6-a24f6cb747e9
Set gateway for router router1




[root@packstack10 ~(rahul)]# neutron --debug router-gateway-clear router1 public
DEBUG: stevedore.extension found extension EntryPoint.parse('v2token = keystoneauth1.loading._plugins.identity.v2:Token')
DEBUG: stevedore.extension found extension EntryPoint.parse('v3oauth1 = keystoneauth1.extras.oauth1._loading:V3OAuth1')
DEBUG: stevedore.extension found extension EntryPoint.parse('admin_token = keystoneauth1.loading._plugins.admin_token:AdminToken')
DEBUG: stevedore.extension found extension EntryPoint.parse('v3oidcauthcode = keystoneauth1.loading._plugins.identity.v3:OpenIDConnectAuthorizationCode')
DEBUG: stevedore.extension found extension EntryPoint.parse('v2password = keystoneauth1.loading._plugins.identity.v2:Password')
DEBUG: stevedore.extension found extension EntryPoint.parse('v3samlpassword = keystoneauth1.extras._saml2._loading:Saml2Password')
DEBUG: stevedore.extension found extension EntryPoint.parse('v3password = keystoneauth1.loading._plugins.identity.v3:Password')
DEBUG: stevedore.extension found extension EntryPoint.parse('v3oidcaccesstoken = keystoneauth1.loading._plugins.identity.v3:OpenIDConnectAccessToken')
DEBUG: stevedore.extension found extension EntryPoint.parse('v3oidcpassword = keystoneauth1.loading._plugins.identity.v3:OpenIDConnectPassword')
DEBUG: stevedore.extension found extension EntryPoint.parse('v3kerberos = keystoneauth1.extras.kerberos._loading:Kerberos')
DEBUG: stevedore.extension found extension EntryPoint.parse('token = keystoneauth1.loading._plugins.identity.generic:Token')
DEBUG: stevedore.extension found extension EntryPoint.parse('v3oidcclientcredentials = keystoneauth1.loading._plugins.identity.v3:OpenIDConnectClientCredentials')
DEBUG: stevedore.extension found extension EntryPoint.parse('v3tokenlessauth = keystoneauth1.loading._plugins.identity.v3:TokenlessAuth')
DEBUG: stevedore.extension found extension EntryPoint.parse('v3token = keystoneauth1.loading._plugins.identity.v3:Token')
DEBUG: stevedore.extension found extension EntryPoint.parse('v3totp = keystoneauth1.loading._plugins.identity.v3:TOTP')
DEBUG: stevedore.extension found extension EntryPoint.parse('password = keystoneauth1.loading._plugins.identity.generic:Password')
DEBUG: stevedore.extension found extension EntryPoint.parse('v3fedkerb = keystoneauth1.extras.kerberos._loading:MappedKerberos')
DEBUG: stevedore.extension found extension EntryPoint.parse('gnocchi-basic = gnocchiclient.auth:GnocchiBasicLoader')
DEBUG: stevedore.extension found extension EntryPoint.parse('gnocchi-noauth = gnocchiclient.auth:GnocchiNoAuthLoader')
DEBUG: stevedore.extension found extension EntryPoint.parse('token_endpoint = openstackclient.api.auth_plugin:TokenEndpoint')
DEBUG: stevedore.extension found extension EntryPoint.parse('aodh-noauth = aodhclient.noauth:AodhNoAuthLoader')
DEBUG: neutronclient.neutron.v2_0.router.RemoveGatewayRouter run(Namespace(request_format='json', router=u'router1'))
DEBUG: keystoneauth.session REQ: curl -g -i -X GET http://192.168.122.10:5000/v2.0 -H "Accept: application/json" -H "User-Agent: neutron keystoneauth1/2.12.3 python-requests/2.11.1 CPython/2.7.5"
DEBUG: keystoneauth.session RESP: [200] Date: Thu, 05 Apr 2018 05:04:30 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) Vary: X-Auth-Token,Accept-Encoding x-openstack-request-id: req-aeb7d21c-6cac-4d65-a404-0da06b23213d Content-Encoding: gzip Content-Length: 232 Connection: close Content-Type: application/json 
RESP BODY: {"version": {"status": "deprecated", "updated": "2016-08-04T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}], "id": "v2.0", "links": [{"href": "http://192.168.122.10:5000/v2.0/", "rel": "self"}, {"href": "http://docs.openstack.org/", "type": "text/html", "rel": "describedby"}]}}

DEBUG: keystoneauth.identity.v2 Making authentication request to http://192.168.122.10:5000/v2.0/tokens
DEBUG: keystoneauth.session REQ: curl -g -i -X GET http://192.168.122.10:9696/v2.0/routers.json?fields=id&name=router1 -H "User-Agent: python-neutronclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}03b0a59527a06dcffcd3db8c5ced4b662bddb6d6"
DEBUG: keystoneauth.session RESP: [200] Content-Type: application/json Content-Length: 61 X-Openstack-Request-Id: req-ede3e9e3-81ab-4d5f-97e0-14130dfc872b Date: Thu, 05 Apr 2018 05:04:30 GMT Connection: keep-alive 
RESP BODY: {"routers": [{"id": "cb3b3ff0-0786-4eb3-84cc-1eaf5601cd79"}]}

DEBUG: neutronclient.v2_0.client GET call to neutron for http://192.168.122.10:9696/v2.0/routers.json?fields=id&name=router1 used request id req-ede3e9e3-81ab-4d5f-97e0-14130dfc872b
DEBUG: keystoneauth.session REQ: curl -g -i -X PUT http://192.168.122.10:9696/v2.0/routers/cb3b3ff0-0786-4eb3-84cc-1eaf5601cd79.json -H "User-Agent: python-neutronclient" -H "Content-Type: application/json" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}03b0a59527a06dcffcd3db8c5ced4b662bddb6d6" -d '{"router": {"external_gateway_info": {}}}'
DEBUG: keystoneauth.session RESP: [200] Content-Type: application/json Content-Length: 465 X-Openstack-Request-Id: req-9bccbdc3-e6f3-41e2-99af-501c5b5ed77a Date: Thu, 05 Apr 2018 05:04:32 GMT Connection: keep-alive 
RESP BODY: {"router": {"status": "ACTIVE", "external_gateway_info": null, "availability_zone_hints": [], "availability_zones": ["nova"], "description": "", "admin_state_up": true, "tenant_id": "154e7c26be4f4c8eb00864031b15851b", "created_at": "2018-03-22T08:36:13Z", "updated_at": "2018-04-05T05:04:31Z", "flavor_id": null, "revision_number": 42, "routes": [], "project_id": "154e7c26be4f4c8eb00864031b15851b", "id": "cb3b3ff0-0786-4eb3-84cc-1eaf5601cd79", "name": "router1"}}

DEBUG: neutronclient.v2_0.client PUT call to neutron for http://192.168.122.10:9696/v2.0/routers/cb3b3ff0-0786-4eb3-84cc-1eaf5601cd79.json used request id req-9bccbdc3-e6f3-41e2-99af-501c5b5ed77a
Removed gateway from router router1
~~~


Is there any other policy rule I need to configure to restrict this?

Comment 2 Brian Haley 2018-04-09 13:53:34 UTC
You should add this entry to policy.json to restrict updating of routers to admin-only:

    "update_router": "rule:admin_only"

I tried that locally and it worked.  Later versions have an "admin_or_owner" entry for update router that maybe would have made that more obvious.

Comment 3 Brian Haley 2018-04-09 13:59:55 UTC
Please update bug once customer has had a chance to test this, thanks.

Comment 4 Rahul Chincholkar 2018-04-10 05:58:44 UTC
Brian++

Thank you, 
customer has tested and confirmed that the provided solution is working. 

Regards,
Rahul Chincholkar


Note You need to log in before you can comment on or make changes to this bug.