Description of problem: Using Horizon/OpenStack Dashboard to create a network port on a shared network fails with the following error: 'Error: You are not allowed to create a port for network <shared_network_id>' Version-Release number of selected component (if applicable): Red Hat Openstack 13 How reproducible: Always - Create a shared network under $project_a - Log into the OpenStack dashboard under $project_b - As a user in $project_b create a network port on network shared by $project_a with the following options: - Port name - Admin state is checked(checked by default) - Specify subnet - Port security is checked(checked by default) - VNIC type = normal (selected by default) - Port creation fails with the errors observed below on the dashboard[0], and the neutron api[1] error logs. Dashboard errors: Error: You are not allowed to create a port for network <shared_network_id> Additional notes: - Un-checking Admin State does not change this behavior - Un-checking Port Secuirty does not change this behavior - Creating the network port on the shared network is successful through the OpenStack command line client. [0] --------------- Horizon errors --------------- 2019-02-26 11:43:30,023 59 INFO openstack_dashboard.dashboards.project.networks.ports.forms Failed to create a port for network 69f0585e-6839-42b9-80a0-818c6c7e0987: (rule:create_port and rule:create_port:port_security_enabled) is disallowed by policy Neutron server returns request_ids: ['req-2f40ac6c-268c-42c4-a033-cf8102aa30b4'] 2019-02-26 11:43:30,023 59 WARNING horizon.exceptions Recoverable error: (rule:create_port and rule:create_port:port_security_enabled) is disallowed by policy Neutron server returns request_ids: ['req-2f40ac6c-268c-42c4-a033-cf8102aa30b4'] [1] --------------- Neutron API errors --------------- 2019-02-26 11:43:29.653 27 DEBUG neutron.api.v2.base [req-2f40ac6c-268c-42c4-a033-cf8102aa30b4 8909803e10bd4e97a31fee3b17e7a809 88e74a584c2b4d03b51a9ba079f3253a - default default] Request body: {u'port': {u'name': u'test-port-201', u'admin_state_up': True, u'network_id': u'69f0585e-6839-42b9-80a0-818c6c7e0987', u'tenant_id': u'88e74a584c2b4d03b51a9ba079f3253a', u'binding:vnic_type': u'normal', u'device_owner': u'', u'port_security_enabled': True, u'device_id': u''}} prepare_request_body /usr/lib/python2.7/site-packages/neutron/api/v2/base.py:690 2019-02-26 11:43:29.822 27 DEBUG neutron.db.quota.driver [req-2f40ac6c-268c-42c4-a033-cf8102aa30b4 8909803e10bd4e97a31fee3b17e7a809 88e74a584c2b4d03b51a9ba079f3253a - default default] Resources subnetpool,trunk have unlimited quota limit. It is not required to calculate headroom make_reservation /usr/lib/python2.7/site-packages/neutron/db/quota/driver.py:223 2019-02-26 11:43:29.834 27 DEBUG neutron.db.quota.driver [req-2f40ac6c-268c-42c4-a033-cf8102aa30b4 8909803e10bd4e97a31fee3b17e7a809 88e74a584c2b4d03b51a9ba079f3253a - default default] Attempting to reserve 1 items for resource port. Total usage: 0; quota limit: 500; headroom:500 make_reservation /usr/lib/python2.7/site-packages/neutron/db/quota/driver.py:255 2019-02-26 11:43:29.858 27 DEBUG neutron.pecan_wsgi.hooks.quota_enforcement [req-2f40ac6c-268c-42c4-a033-cf8102aa30b4 8909803e10bd4e97a31fee3b17e7a809 88e74a584c2b4d03b51a9ba079f3253a - default default] Made reservation on behalf of 88e74a584c2b4d03b51a9ba079f3253a for: {'port': 1} before /usr/lib/python2.7/site-packages/neutron/pecan_wsgi/hooks/quota_enforcement.py:55 2019-02-26 11:43:29.992 27 DEBUG neutron.policy [req-2f40ac6c-268c-42c4-a033-cf8102aa30b4 8909803e10bd4e97a31fee3b17e7a809 88e74a584c2b4d03b51a9ba079f3253a - default default] Enforcing rules: ['create_port', 'create_port:port_security_enabled'] log_rule_list /usr/lib/python2.7/site-packages/neutron/policy.py:334 2019-02-26 11:43:29.992 27 DEBUG neutron.policy [req-2f40ac6c-268c-42c4-a033-cf8102aa30b4 8909803e10bd4e97a31fee3b17e7a809 88e74a584c2b4d03b51a9ba079f3253a - default default] Failed policy check for 'create_port' enforce /usr/lib/python2.7/site-packages/neutron/policy.py:405 2019-02-26 11:43:29.994 27 INFO neutron.pecan_wsgi.hooks.translation [req-2f40ac6c-268c-42c4-a033-cf8102aa30b4 8909803e10bd4e97a31fee3b17e7a809 88e74a584c2b4d03b51a9ba079f3253a - default default] POST failed (client error): Access was denied to this resource. 2019-02-26 11:43:29.994 27 DEBUG neutron.pecan_wsgi.hooks.notifier [req-2f40ac6c-268c-42c4-a033-cf8102aa30b4 8909803e10bd4e97a31fee3b17e7a809 88e74a584c2b4d03b51a9ba079f3253a - default default] No notification will be sent due to unsuccessful status code: 403 after /usr/lib/python2.7/site-packages/neutron/pecan_wsgi/hooks/notifier.py:79 2019-02-26 11:43:30.021 27 INFO neutron.wsgi [req-2f40ac6c-268c-42c4-a033-cf8102aa30b4 8909803e10bd4e97a31fee3b17e7a809 88e74a584c2b4d03b51a9ba079f3253a - default default] 172.16.20.42 "POST /v2.0/ports HTTP/1.1" status: 403 len: 345 time: 0.3725500
This seems like expected behavior. The port creation is forbidden by a policy.