Description of problem: When admin of a project [1], we can create a port with fixed_ips with these policies [2]. Apparently, this wasn't possible in OSP10 because the fixed_ips rule doesn't contain the rule:shared. The goal here is that we want to allow tenant to pick their subnet, but not their IPs. [3] net-show [4] subnet-show [5] port create [1] ~~~ $ openstack role assignment list --project dvd-project --user dvd --names +----------+-------------+-------+---------------------+--------+-----------+ | Role | User | Group | Project | Domain | Inherited | +----------+-------------+-------+---------------------+--------+-----------+ | admin | dvd@Default | | dvd-project@Default | | False | | _member_ | dvd@Default | | dvd-project@Default | | False | +----------+-------------+-------+---------------------+--------+-----------+ ~~~ [2] ~~~ # grep create_port:fixed_ips /var/lib/config-data/puppet-generated/neutron/etc/neutron/policy.json "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner", "create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared", ~~~ [3] ~~~ $ openstack network show somenet1 +---------------------------+----------------------------------------------------------------------------+ | Field | Value | +---------------------------+----------------------------------------------------------------------------+ | admin_state_up | UP | | availability_zone_hints | | | availability_zones | nova | | created_at | 2018-11-16T15:15:27Z | | description | | | dns_domain | None | | id | a8a0a03f-dd8a-4ad7-8c45-2427a23ad3ec | | ipv4_address_scope | None | | ipv6_address_scope | None | | is_default | None | | is_vlan_transparent | None | | mtu | 9000 | | name | somenet1 | | port_security_enabled | True | | project_id | bce4ff800e4a48348f3e673c97340d66 | | provider:network_type | vlan | | provider:physical_network | datacentre | | provider:segmentation_id | 2902 | | qos_policy_id | None | | revision_number | 6 | | router:external | Internal | | segments | None | | shared | True | | status | ACTIVE | | subnets | 27a4ab4a-a5f8-440b-abea-0f38ecc1cd8c, 5e4f2e3b-93b6-44ea-873b-172059209cf4 | | tags | | | updated_at | 2018-11-26T22:05:07Z | +---------------------------+----------------------------------------------------------------------------+ ~~~ [4] ~~~ $ openstack subnet show 27a4ab4a-a5f8-440b-abea-0f38ecc1cd8c +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | allocation_pools | 10.141.168.136-10.141.168.190 | | cidr | 10.141.168.128/26 | | created_at | 2018-11-16T15:15:31Z | | description | | | dns_nameservers | | | enable_dhcp | False | | gateway_ip | 10.141.168.129 | | host_routes | | | id | 27a4ab4a-a5f8-440b-abea-0f38ecc1cd8c | | ip_version | 4 | | ipv6_address_mode | None | | ipv6_ra_mode | None | | name | subnet-somenet1-v4 | | network_id | a8a0a03f-dd8a-4ad7-8c45-2427a23ad3ec | | project_id | bce4ff800e4a48348f3e673c97340d66 | | revision_number | 0 | | segment_id | None | | service_types | | | subnetpool_id | None | | tags | | | updated_at | 2018-11-16T15:15:31Z | +-------------------+--------------------------------------+ ~~~ [5] ~~~ $ openstack port create portx2 --network somenet1 --fixed-ip subnet=27a4ab4a-a5f8-440b-abea-0f38ecc1cd8c,ip-address=10.141.168.129 +-----------------------+-------------------------------------------------------------------------------+ | Field | Value | +-----------------------+-------------------------------------------------------------------------------+ | admin_state_up | UP | | allowed_address_pairs | | | binding_host_id | | | binding_profile | | | binding_vif_details | | | binding_vif_type | unbound | | binding_vnic_type | normal | | created_at | 2018-12-09T20:29:20Z | | data_plane_status | None | | description | | | device_id | | | device_owner | | | dns_assignment | None | | dns_name | None | | extra_dhcp_opts | | | fixed_ips | ip_address='10.141.168.129', subnet_id='27a4ab4a-a5f8-440b-abea-0f38ecc1cd8c' | | id | e9aeb76a-ccb5-4f23-83d8-553b32523573 | | ip_address | None | | mac_address | fa:16:3e:a7:eb:c1 | | name | portx2 | | network_id | a8a0a03f-dd8a-4ad7-8c45-2427a23ad3ec | | option_name | None | | option_value | None | | port_security_enabled | True | | project_id | 4c2720e090794df5ad66ae8628d671f2 | | qos_policy_id | None | | revision_number | 6 | | security_group_ids | d2f1c145-cffa-4670-a736-ac3004e3f918 | | status | DOWN | | subnet_id | None | | tags | | | trunk_details | None | | updated_at | 2018-12-09T20:29:20Z | +-----------------------+-------------------------------------------------------------------------------+ ~~~ Version-Release number of selected component (if applicable): 12.0.4-2 How reproducible: All the time Steps to Reproduce: 1. Create project and user admin of that project 2. Create a shared network with subnet 3. Create port with fixed ip in that subnet Actual results: Port gets created with a specified fixed_ip Expected results: We should be able to create a port with a fixed_ip using subnet but we should be forbidden when we specify an ip. Additional info:
This appears to have been reported (but expired) upstream [1] already. I came to the same conclusion as this user when I added some debug to neutron. This commit [2] isn't working. [1] https://bugs.launchpad.net/neutron/+bug/1779225 [2] https://review.openstack.org/#/c/432850/
Can we have this bug backported to OSP14 as well? Should I open another bugzilla for that?
I already did it: https://bugzilla.redhat.com/show_bug.cgi?id=1708088
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:1744