Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1657546 - Policies create_port:fixed_ips:* ignored
Summary: Policies create_port:fixed_ips:* ignored
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-neutron
Version: 13.0 (Queens)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: z7
: 13.0 (Queens)
Assignee: Slawek Kaplonski
QA Contact: Roee Agiman
URL:
Whiteboard:
Depends On:
Blocks: 1708088 1712271
TreeView+ depends on / blocked
 
Reported: 2018-12-09 20:45 UTC by David Vallee Delisle
Modified: 2019-08-01 07:10 UTC (History)
7 users (show)

Fixed In Version: openstack-neutron-12.0.5-15.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1708088 1712271 (view as bug list)
Environment:
Last Closed: 2019-07-10 13:01:59 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1779225 0 None None None 2018-12-09 20:51:39 UTC
Launchpad 1808112 0 None None None 2018-12-12 08:57:06 UTC
Launchpad 1822105 0 None None None 2019-03-28 20:43:18 UTC
OpenStack gerrit 432850 0 None MERGED Allow port create/update by shared nw owners 2020-10-09 08:13:10 UTC
OpenStack gerrit 648532 0 None MERGED Fix creating policy rules from subattributes. 2020-10-09 08:13:10 UTC
OpenStack gerrit 652636 0 None MERGED Fix handling of network:shared field in policy module 2020-10-09 08:13:10 UTC
Red Hat Product Errata RHBA-2019:1744 0 None None None 2019-07-10 13:02:16 UTC

Description David Vallee Delisle 2018-12-09 20:45:24 UTC
Description of problem:
When admin of a project [1], we can create a port with fixed_ips with these policies [2]. Apparently, this wasn't possible in OSP10 because the fixed_ips rule doesn't contain the rule:shared.

The goal here is that we want to allow tenant to pick their subnet, but not their IPs.

[3] net-show
[4] subnet-show
[5] port create

[1]
~~~
$ openstack role assignment list --project dvd-project --user dvd --names
+----------+-------------+-------+---------------------+--------+-----------+
| Role     | User        | Group | Project             | Domain | Inherited |
+----------+-------------+-------+---------------------+--------+-----------+
| admin    | dvd@Default |       | dvd-project@Default |        | False     |
| _member_ | dvd@Default |       | dvd-project@Default |        | False     |
+----------+-------------+-------+---------------------+--------+-----------+
~~~

[2]
~~~
# grep create_port:fixed_ips /var/lib/config-data/puppet-generated/neutron/etc/neutron/policy.json 
    "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
    "create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
~~~

[3]
~~~
$ openstack network show somenet1
+---------------------------+----------------------------------------------------------------------------+
| Field                     | Value                                                                      |
+---------------------------+----------------------------------------------------------------------------+
| admin_state_up            | UP                                                                         |
| availability_zone_hints   |                                                                            |
| availability_zones        | nova                                                                       |
| created_at                | 2018-11-16T15:15:27Z                                                       |
| description               |                                                                            |
| dns_domain                | None                                                                       |
| id                        | a8a0a03f-dd8a-4ad7-8c45-2427a23ad3ec                                       |
| ipv4_address_scope        | None                                                                       |
| ipv6_address_scope        | None                                                                       |
| is_default                | None                                                                       |
| is_vlan_transparent       | None                                                                       |
| mtu                       | 9000                                                                       |
| name                      | somenet1                                                                   |
| port_security_enabled     | True                                                                       |
| project_id                | bce4ff800e4a48348f3e673c97340d66                                           |
| provider:network_type     | vlan                                                                       |
| provider:physical_network | datacentre                                                                 |
| provider:segmentation_id  | 2902                                                                       |
| qos_policy_id             | None                                                                       |
| revision_number           | 6                                                                          |
| router:external           | Internal                                                                   |
| segments                  | None                                                                       |
| shared                    | True                                                                       |
| status                    | ACTIVE                                                                     |
| subnets                   | 27a4ab4a-a5f8-440b-abea-0f38ecc1cd8c, 5e4f2e3b-93b6-44ea-873b-172059209cf4 |
| tags                      |                                                                            |
| updated_at                | 2018-11-26T22:05:07Z                                                       |
+---------------------------+----------------------------------------------------------------------------+
~~~

[4]
~~~
$ openstack subnet show 27a4ab4a-a5f8-440b-abea-0f38ecc1cd8c
+-------------------+--------------------------------------+
| Field             | Value                                |
+-------------------+--------------------------------------+
| allocation_pools  | 10.141.168.136-10.141.168.190        |
| cidr              | 10.141.168.128/26                    |
| created_at        | 2018-11-16T15:15:31Z                 |
| description       |                                      |
| dns_nameservers   |                                      |
| enable_dhcp       | False                                |
| gateway_ip        | 10.141.168.129                       |
| host_routes       |                                      |
| id                | 27a4ab4a-a5f8-440b-abea-0f38ecc1cd8c |
| ip_version        | 4                                    |
| ipv6_address_mode | None                                 |
| ipv6_ra_mode      | None                                 |
| name              | subnet-somenet1-v4                   |
| network_id        | a8a0a03f-dd8a-4ad7-8c45-2427a23ad3ec |
| project_id        | bce4ff800e4a48348f3e673c97340d66     |
| revision_number   | 0                                    |
| segment_id        | None                                 |
| service_types     |                                      |
| subnetpool_id     | None                                 |
| tags              |                                      |
| updated_at        | 2018-11-16T15:15:31Z                 |
+-------------------+--------------------------------------+
~~~


[5]
~~~
$ openstack port create portx2 --network somenet1 --fixed-ip subnet=27a4ab4a-a5f8-440b-abea-0f38ecc1cd8c,ip-address=10.141.168.129
+-----------------------+-------------------------------------------------------------------------------+
| Field                 | Value                                                                         |
+-----------------------+-------------------------------------------------------------------------------+
| admin_state_up        | UP                                                                            |
| allowed_address_pairs |                                                                               |
| binding_host_id       |                                                                               |
| binding_profile       |                                                                               |
| binding_vif_details   |                                                                               |
| binding_vif_type      | unbound                                                                       |
| binding_vnic_type     | normal                                                                        |
| created_at            | 2018-12-09T20:29:20Z                                                          |
| data_plane_status     | None                                                                          |
| description           |                                                                               |
| device_id             |                                                                               |
| device_owner          |                                                                               |
| dns_assignment        | None                                                                          |
| dns_name              | None                                                                          |
| extra_dhcp_opts       |                                                                               |
| fixed_ips             | ip_address='10.141.168.129', subnet_id='27a4ab4a-a5f8-440b-abea-0f38ecc1cd8c' |
| id                    | e9aeb76a-ccb5-4f23-83d8-553b32523573                                          |
| ip_address            | None                                                                          |
| mac_address           | fa:16:3e:a7:eb:c1                                                             |
| name                  | portx2                                                                        |
| network_id            | a8a0a03f-dd8a-4ad7-8c45-2427a23ad3ec                                          |
| option_name           | None                                                                          |
| option_value          | None                                                                          |
| port_security_enabled | True                                                                          |
| project_id            | 4c2720e090794df5ad66ae8628d671f2                                              |
| qos_policy_id         | None                                                                          |
| revision_number       | 6                                                                             |
| security_group_ids    | d2f1c145-cffa-4670-a736-ac3004e3f918                                          |
| status                | DOWN                                                                          |
| subnet_id             | None                                                                          |
| tags                  |                                                                               |
| trunk_details         | None                                                                          |
| updated_at            | 2018-12-09T20:29:20Z                                                          |
+-----------------------+-------------------------------------------------------------------------------+
~~~
Version-Release number of selected component (if applicable):
12.0.4-2

How reproducible:

All the time

Steps to Reproduce:
1. Create project and user admin of that project
2. Create a shared network with subnet
3. Create port with fixed ip in that subnet

Actual results:
Port gets created with a specified fixed_ip

Expected results:
We should be able to create a port with a fixed_ip using subnet but we should be forbidden when we specify an ip.

Additional info:

Comment 2 David Vallee Delisle 2018-12-09 20:51:06 UTC
This appears to have been reported (but expired) upstream [1] already. I came to the same conclusion as this user when I added some debug to neutron.

This commit [2] isn't working.

[1] https://bugs.launchpad.net/neutron/+bug/1779225
[2] https://review.openstack.org/#/c/432850/

Comment 10 Andre 2019-05-09 07:47:19 UTC
Can we have this bug backported to OSP14 as well? Should I open another bugzilla for that?

Comment 11 Slawek Kaplonski 2019-05-09 08:31:14 UTC
I already did it: https://bugzilla.redhat.com/show_bug.cgi?id=1708088

Comment 22 errata-xmlrpc 2019-07-10 13:01:59 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:1744


Note You need to log in before you can comment on or make changes to this bug.