Description of problem: Using a project _member_'s credential, when creating a port with --enabled-port-security or --disable-port-security, neutron-server is not obeying the default policy. When creating the port without --*-port-security, it's not obeying either Version-Release number of selected component (if applicable): https://access.redhat.com/containers/#/registry.access.redhat.com/rhosp13/openstack-neutron-server/images/13.0-64 openstack-neutron-12.0.4-2.el7ost.noarch How reproducible: All the time Steps to Reproduce: [1] 0. source project _member_ credentials 1. openstack port create bla --vnic-type normal --network name 2. openstack port create bla --vnic-type normal --network name --disable-port-security 3. openstack port create bla --vnic-type normal --network name --enable-port-security 4. Creating a port through horizon, with or without port security enabled Actual results: For reference, this is the default policies [2]: 0. Always as project _member_ 1. Creating a port without --*-port-security succeeds and port-security is enabled 2. Creating a port with --disable-port-security fails. 3. Creating a port with --enable-port-security fails. 4. Fails all the time, no matter if we enable or disable port-security Expected results: Based on the default policies [2]: 1. This should fail because by default we can't enable port-security, and the default seems to have it on. 2. This should succeed because we are not network owner or admin. 3. This is failing as expected. 4. This should work if we disable port-security. Additional info: [1] ~~~ (overcloud) [stack@overcloud-rh-ucld-0 ~]$ openstack port create bla --vnic-type normal --network 97988f55-649b-4bdc-ab08-3f61b2958d85 +-----------------------+-------------------------------------------------------------------------------------------------+ | Field | Value | +-----------------------+-------------------------------------------------------------------------------------------------+ | admin_state_up | UP | | allowed_address_pairs | | | binding_host_id | None | | binding_profile | None | | binding_vif_details | None | | binding_vif_type | None | | binding_vnic_type | normal | | created_at | 2019-01-29T19:57:07Z | | data_plane_status | None | | description | | | device_id | | | device_owner | | | dns_assignment | None | | dns_name | None | | extra_dhcp_opts | | | fixed_ips | ip_address='xxx', subnet_id='8698fae0-3600-475c-b84a-c0dac810fb26' | | | ip_address='xxx', subnet_id='a690460d-b7ec-4ced-b8bf-3b48b90a7f7e' | | id | fc102516-93e3-493a-9db7-b14912e76baa | | ip_address | None | | mac_address | fa:16:3e:52:22:99 | | name | bla | | network_id | 97988f55-649b-4bdc-ab08-3f61b2958d85 | | option_name | None | | option_value | None | | port_security_enabled | True | | project_id | 38c2a42d76d143f69f3c0cc037a43ec9 | | qos_policy_id | None | | revision_number | 7 | | security_group_ids | 19b13e8f-b170-4b2b-baa4-b57c677c4dba | | status | DOWN | | subnet_id | None | | tags | | | trunk_details | None | | updated_at | 2019-01-29T19:57:07Z | +-----------------------+-------------------------------------------------------------------------------------------------+ (overcloud) [stack@overcloud-rh-ucld-0 ~]$ openstack port create bla --vnic-type normal --network 97988f55-649b-4bdc-ab08-3f61b2958d85 --disable-port-security HttpException: Unknown error (overcloud) [stack@overcloud-rh-ucld-0 ~]$ ^C (overcloud) [stack@overcloud-rh-ucld-0 ~]$ openstack port create bla --vnic-type normal --network 97988f55-649b-4bdc-ab08-3f61b2958d85 --enable-port-security HttpException: Unknown error ~~~ [2] ~~~ # docker exec -ti neutron_api grep create_port /etc/neutron/policy.json "create_port": "", "create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner", "create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner", "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner", "create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared", "create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner", "create_port:binding:host_id": "rule:admin_only", "create_port:binding:profile": "rule:admin_only", "create_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner", "create_port:allowed_address_pairs": "rule:admin_or_network_owner", ~~~
Hi David - does the neutron server log show anything useful? Also, does running the openstack client with --debug show a more useful error? I think it's getting swallowed by one of the libraries here. Our testing upstream showed it worked there, we'll need to try and reproduce on OSP 13 when we have a chance.
Hello, Here's the output with --debug of all 3 cases. [1] with --enable-port-security [2] with --disable-port-security [3] without --*port-security I'll attach the neutron server.log with debug enabled in a private attachment. Let me know if you need anything else. DVD [1] ~~ REQ: curl -g -i -X POST https://xxx:13696/v2.0/ports -H "User-Agent: osc-lib/1.9.0 keystoneauth1/3.4.0 python-requests/2.14.2 CPython/2.7.5" -H "Content-Type: application/json" -H "X-Auth-Token: {SHA1}f4801b84b2b93476a84662a8398d7e1095407e1f" -d '{"port": {"network_id": "47a2cf2e-a5e5-446e-b6fb-5acf36f3a5a7", "port_security_enabled": true, "binding:vnic_type": "direct", "name": "dvdtest1", "admin_state_up": true}}' https://xxx:13696 "POST /v2.0/ports HTTP/1.1" 403 204 RESP: [403] Content-Type: application/json Content-Length: 204 X-Openstack-Request-Id: req-fc84d4c4-e28b-4b9e-928c-3d320d6222c5 Date: Wed, 06 Feb 2019 19:49:30 GMT RESP BODY: {"NeutronError": {"message": "((rule:create_port and rule:create_port:port_security_enabled) and rule:create_port:binding:vnic_type) is disallowed by policy", "type": "PolicyNotAuthorized", "detail": ""}} POST call to network for https://xxx:13696/v2.0/ports used request id req-fc84d4c4-e28b-4b9e-928c-3d320d6222c5 Manager unknown ran task network.POST.ports in 1.35062813759s HttpException: Unknown error Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/cliff/app.py", line 400, in run_subcommand result = cmd.run(parsed_args) File "/usr/lib/python2.7/site-packages/osc_lib/command/command.py", line 41, in run return super(Command, self).run(parsed_args) File "/usr/lib/python2.7/site-packages/cliff/display.py", line 116, in run column_names, data = self.take_action(parsed_args) File "/usr/lib/python2.7/site-packages/openstackclient/network/v2/port.py", line 429, in take_action obj = client.create_port(**attrs) File "/usr/lib/python2.7/site-packages/openstack/network/v2/_proxy.py", line 1456, in create_port return self._create(_port.Port, **attrs) File "/usr/lib/python2.7/site-packages/openstack/proxy.py", line 194, in _create return res.create(self) File "/usr/lib/python2.7/site-packages/openstack/resource.py", line 732, in create self._translate_response(response) File "/usr/lib/python2.7/site-packages/openstack/resource.py", line 664, in _translate_response exceptions.raise_from_response(response, error_message=error_message) File "/usr/lib/python2.7/site-packages/openstack/exceptions.py", line 205, in raise_from_response http_status=http_status, request_id=request_id HttpException: HttpException: Unknown error clean_up CreatePort: HttpException: Unknown error Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/osc_lib/shell.py", line 134, in run ret_val = super(OpenStackShell, self).run(argv) File "/usr/lib/python2.7/site-packages/cliff/app.py", line 279, in run result = self.run_subcommand(remainder) File "/usr/lib/python2.7/site-packages/osc_lib/shell.py", line 169, in run_subcommand ret_value = super(OpenStackShell, self).run_subcommand(argv) File "/usr/lib/python2.7/site-packages/cliff/app.py", line 400, in run_subcommand result = cmd.run(parsed_args) File "/usr/lib/python2.7/site-packages/osc_lib/command/command.py", line 41, in run return super(Command, self).run(parsed_args) File "/usr/lib/python2.7/site-packages/cliff/display.py", line 116, in run column_names, data = self.take_action(parsed_args) File "/usr/lib/python2.7/site-packages/openstackclient/network/v2/port.py", line 429, in take_action obj = client.create_port(**attrs) File "/usr/lib/python2.7/site-packages/openstack/network/v2/_proxy.py", line 1456, in create_port return self._create(_port.Port, **attrs) File "/usr/lib/python2.7/site-packages/openstack/proxy.py", line 194, in _create return res.create(self) File "/usr/lib/python2.7/site-packages/openstack/resource.py", line 732, in create self._translate_response(response) File "/usr/lib/python2.7/site-packages/openstack/resource.py", line 664, in _translate_response exceptions.raise_from_response(response, error_message=error_message) File "/usr/lib/python2.7/site-packages/openstack/exceptions.py", line 205, in raise_from_response http_status=http_status, request_id=request_id HttpException: HttpException: Unknown error END return value: 1 ~~ [2] ~~ REQ: curl -g -i -X POST https://xxx:13696/v2.0/ports -H "User-Agent: osc-lib/1.9.0 keystoneauth1/3.4.0 python-requests/2.14.2 CPython/2.7.5" -H "Content-Type: application/json" -H "X-Auth-Token: {SHA1}460575f2e0bd2a4328f23f13612cd4637e8d9f94" -d '{"port": {"network_id": "47a2cf2e-a5e5-446e-b6fb-5acf36f3a5a7", "port_security_enabled": false, "binding:vnic_type": "direct", "name": "dvdtest1", "admin_state_up": true}}' https://xxx:13696 "POST /v2.0/ports HTTP/1.1" 403 204 RESP: [403] Content-Type: application/json Content-Length: 204 X-Openstack-Request-Id: req-fde234a9-a064-4dcb-8057-125a4685353f Date: Wed, 06 Feb 2019 19:50:58 GMT RESP BODY: {"NeutronError": {"message": "((rule:create_port and rule:create_port:port_security_enabled) and rule:create_port:binding:vnic_type) is disallowed by policy", "type": "PolicyNotAuthorized", "detail": ""}} POST call to network for https://xxx:13696/v2.0/ports used request id req-fde234a9-a064-4dcb-8057-125a4685353f Manager unknown ran task network.POST.ports in 0.6009349823s HttpException: Unknown error Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/cliff/app.py", line 400, in run_subcommand result = cmd.run(parsed_args) File "/usr/lib/python2.7/site-packages/osc_lib/command/command.py", line 41, in run return super(Command, self).run(parsed_args) File "/usr/lib/python2.7/site-packages/cliff/display.py", line 116, in run column_names, data = self.take_action(parsed_args) File "/usr/lib/python2.7/site-packages/openstackclient/network/v2/port.py", line 429, in take_action obj = client.create_port(**attrs) File "/usr/lib/python2.7/site-packages/openstack/network/v2/_proxy.py", line 1456, in create_port return self._create(_port.Port, **attrs) File "/usr/lib/python2.7/site-packages/openstack/proxy.py", line 194, in _create return res.create(self) File "/usr/lib/python2.7/site-packages/openstack/resource.py", line 732, in create self._translate_response(response) File "/usr/lib/python2.7/site-packages/openstack/resource.py", line 664, in _translate_response exceptions.raise_from_response(response, error_message=error_message) File "/usr/lib/python2.7/site-packages/openstack/exceptions.py", line 205, in raise_from_response http_status=http_status, request_id=request_id HttpException: HttpException: Unknown error clean_up CreatePort: HttpException: Unknown error Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/osc_lib/shell.py", line 134, in run ret_val = super(OpenStackShell, self).run(argv) File "/usr/lib/python2.7/site-packages/cliff/app.py", line 279, in run result = self.run_subcommand(remainder) File "/usr/lib/python2.7/site-packages/osc_lib/shell.py", line 169, in run_subcommand ret_value = super(OpenStackShell, self).run_subcommand(argv) File "/usr/lib/python2.7/site-packages/cliff/app.py", line 400, in run_subcommand result = cmd.run(parsed_args) File "/usr/lib/python2.7/site-packages/osc_lib/command/command.py", line 41, in run return super(Command, self).run(parsed_args) File "/usr/lib/python2.7/site-packages/cliff/display.py", line 116, in run column_names, data = self.take_action(parsed_args) File "/usr/lib/python2.7/site-packages/openstackclient/network/v2/port.py", line 429, in take_action obj = client.create_port(**attrs) File "/usr/lib/python2.7/site-packages/openstack/network/v2/_proxy.py", line 1456, in create_port return self._create(_port.Port, **attrs) File "/usr/lib/python2.7/site-packages/openstack/proxy.py", line 194, in _create return res.create(self) File "/usr/lib/python2.7/site-packages/openstack/resource.py", line 732, in create self._translate_response(response) File "/usr/lib/python2.7/site-packages/openstack/resource.py", line 664, in _translate_response exceptions.raise_from_response(response, error_message=error_message) File "/usr/lib/python2.7/site-packages/openstack/exceptions.py", line 205, in raise_from_response http_status=http_status, request_id=request_id HttpException: HttpException: Unknown error END return value: 1 ~~ [3] ~~ REQ: curl -g -i -X POST https://xxx:13696/v2.0/ports -H "User-Agent: osc-lib/1.9.0 keystoneauth1/3.4.0 python-requests/2.14.2 CPython/2.7.5" -H "Content-Type: application/json" -H "X-Auth-Token: {SHA1}b8f8eed01afabec974d860d2baaeb3c03783dbe0" -d '{"port": {"network_id": "47a2cf2e-a5e5-446e-b6fb-5acf36f3a5a7", "admin_state_up": true, "name": "dvdtest1", "binding:vnic_type": "direct"}}' https://xxx:13696 "POST /v2.0/ports HTTP/1.1" 201 750 RESP: [201] Content-Type: application/json Content-Length: 750 X-Openstack-Request-Id: req-b26013fc-76fa-4fdf-bad5-b01a0a8b7fc9 Date: Wed, 06 Feb 2019 19:51:38 GMT RESP BODY: {"port":{"allowed_address_pairs":[],"extra_dhcp_opts":[],"updated_at":"2019-02-06T19:51:36Z","device_owner":"","revision_number":6,"port_security_enabled":true,"fixed_ips":[{"subnet_id":"fe9f18fd-7904-479d-badb-1e14f5ff6632","ip_address":"XXX"}],"id":"2742f9c1-7ef4-4be5-9c09-097b42db3020","security_groups":["19b13e8f-b170-4b2b-baa4-b57c677c4dba"],"mac_address":"fa:16:3e:d6:db:6a","device_id":"","status":"DOWN","description":"","tags":[],"name":"dvdtest1","project_id":"38c2a42d76d143f69f3c0cc037a43ec9","qos_policy_id":null,"admin_state_up":true,"network_id":"47a2cf2e-a5e5-446e-b6fb-5acf36f3a5a7","tenant_id":"38c2a42d76d143f69f3c0cc037a43ec9","created_at":"2019-02-06T19:51:36Z","binding:vnic_type":"direct","ip_allocation":"immediate"}} POST call to network for https://xxx:13696/v2.0/ports used request id req-b26013fc-76fa-4fdf-bad5-b01a0a8b7fc9 Manager unknown ran task network.POST.ports in 6.09331393242s +-----------------------+---------------------------------------------------------------------------+ | Field | Value | +-----------------------+---------------------------------------------------------------------------+ | admin_state_up | UP | | allowed_address_pairs | | | binding_host_id | None | | binding_profile | None | | binding_vif_details | None | | binding_vif_type | None | | binding_vnic_type | direct | | created_at | 2019-02-06T19:51:36Z | | data_plane_status | None | | description | | | device_id | | | device_owner | | | dns_assignment | None | | dns_name | None | | extra_dhcp_opts | | | fixed_ips | ip_address='XXX', subnet_id='fe9f18fd-7904-479d-badb-1e14f5ff6632' | | id | 2742f9c1-7ef4-4be5-9c09-097b42db3020 | | ip_address | None | | mac_address | fa:16:3e:d6:db:6a | | name | dvdtest1 | | network_id | 47a2cf2e-a5e5-446e-b6fb-5acf36f3a5a7 | | option_name | None | | option_value | None | | port_security_enabled | True | | project_id | 38c2a42d76d143f69f3c0cc037a43ec9 | | qos_policy_id | None | | revision_number | 6 | | security_group_ids | 19b13e8f-b170-4b2b-baa4-b57c677c4dba | | status | DOWN | | subnet_id | None | | tags | | | trunk_details | None | | updated_at | 2019-02-06T19:51:36Z | +-----------------------+---------------------------------------------------------------------------+ clean_up CreatePort: END return value: 0 ~~~
So as expected, the error being returned is: RESP BODY: {"NeutronError": {"message": "((rule:create_port and rule:create_port:port_security_enabled) and rule:create_port:binding:vnic_type) is disallowed by policy", "type": "PolicyNotAuthorized", "detail": ""}} In one of the server logs I see this: Enforcing rules: ['create_port', 'create_port:port_security_enabled', 'create_port:binding:vnic_type'] log_rule_list /usr/lib/python2.7/site-packages/neutron/policy.py:334 Failed policy check for 'create_port' enforce /usr/lib/python2.7/site-packages/neutron/policy.py:405 At first I thought '--vnic-type normal' was causing it, but I can't reproduce this on master, so perhaps it's something in OSP 13?
David, I cannot reproduce this. Can you send me the policy.json for these hosts? I need to see whether they differ from standard, and if so by how much. Thanks, Nate
Hey Radomir! I just wanted to follow up on this to see if any progress was made so that I may update the customer. Thanks, Gabriel
There has been no progress, we were working on other bugs.
*** Bug 1954046 has been marked as a duplicate of this bug. ***
Any update on this?
*** Bug 2129483 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Red Hat OpenStack Platform 17.0.1 bug fix and enhancement advisory), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:0271