Bug 1722242 - [neutron][RBAC] User is not allowed to create port with fixed IP on shared network via RBAC
Summary: [neutron][RBAC] User is not allowed to create port with fixed IP on shared ne...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-neutron
Version: 14.0 (Rocky)
Hardware: x86_64
OS: Linux
high
medium
Target Milestone: ---
: ---
Assignee: Slawek Kaplonski
QA Contact: Eran Kuris
URL:
Whiteboard:
Depends On:
Blocks: 1753118
TreeView+ depends on / blocked
 
Reported: 2019-06-19 18:49 UTC by Mauro Oddi
Modified: 2023-10-06 18:22 UTC (History)
8 users (show)

Fixed In Version: openstack-neutron-13.0.4-0.20190508213445.de95bc6.el7ost
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 1753118 (view as bug list)
Environment:
Last Closed: 2019-11-06 16:50:27 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 666816 0 'None' MERGED Treat networks shared by RBAC in same way as shared with all tenants 2020-12-15 15:19:24 UTC
Red Hat Issue Tracker OSP-19469 0 None None None 2022-10-17 10:13:15 UTC
Red Hat Product Errata RHBA-2019:3750 0 None None None 2019-11-06 16:50:55 UTC

Description Mauro Oddi 2019-06-19 18:49:02 UTC 
Description of problem:
When a network is shared via RBAC between two tenants and the neutron policy is modified to allow adding ports with fixed IPs to shared networks, still the policy is not honoured and the port creation fails.


Version-Release number of selected component (if applicable):
Rocky - RHOSP14
python-neutron-lbaas-13.0.1-0.20181017150329.1353bad.el7ost.noarch
openstack-neutron-fwaas-13.0.2-0.20190123183836.90951a5.el7ost.noarch
python-neutron-fwaas-13.0.2-0.20190123183836.90951a5.el7ost.noarch
openstack-neutron-13.0.3-0.20190313155649.00b63be.el7ost.noarch
python2-neutronclient-6.9.1-0.20180925041810.7eba94e.el7ost.noarch
openstack-neutron-common-13.0.3-0.20190313155649.00b63be.el7ost.noarch
openstack-neutron-ml2-13.0.3-0.20190313155649.00b63be.el7ost.noarch
puppet-neutron-13.3.2-0.20190214000933.2246751.el7ost.noarch
python-neutron-13.0.3-0.20190313155649.00b63be.el7ost.noarch
openstack-neutron-lbaas-13.0.1-0.20181017150329.1353bad.el7ost.noarch
python2-neutron-lib-1.18.0-0.20180816094046.67865c7.el7ost.noarch


How reproducible:
always

Steps to Reproduce:
 1. Create tenant1 with user1 and tenant2 with user 2, assign testrole to both

 2, Change the default policy.json to allow creation of ports with fixed IP address in a shared network:

        ()[root@controller-2 /]# diff /etc/neutron/policy.json /etc/neutron/policy.json.bkp
        78c78
        < "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
        ---
        > "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",

 3. As user1 create a network and share it via RBAC to tenant2:

        user1 (overcloud) [stack@undercloud-0 ~]$ openstack network create rbacnet1
        +---------------------------+--------------------------------------+
        | Field | Value |
        +---------------------------+--------------------------------------+
        | admin_state_up | UP |
        | availability_zone_hints | |
        | availability_zones | |
        | created_at | 2019-06-19T18:01:01Z |
        | description | |
        | dns_domain | None |
        | id | 8961329b-08a2-4c7c-88cf-b5cca43ca678 |
        | ipv4_address_scope | None |
        | ipv6_address_scope | None |
        | is_default | False |
        | is_vlan_transparent | None |
        | mtu | 1450 |
        | name | rbacnet1 |
        | port_security_enabled | True |
        | project_id | 4ff7e3db6d64429db1b39f993bb99411 |
        | provider:network_type | None |
        | provider:physical_network | None |
        | provider:segmentation_id | None |
        | qos_policy_id | None |
        | revision_number | 2 |
        | router:external | Internal |
        | segments | None |
        | shared | False |
        | status | ACTIVE |
        | subnets | |
        | tags | |
        | updated_at | 2019-06-19T18:01:02Z |
        +---------------------------+--------------------------------------+
        user1 (overcloud) [stack@undercloud-0 ~]$ openstack network list
        +--------------------------------------+----------+--------------------------------------+
        | ID | Name | Subnets |
        +--------------------------------------+----------+--------------------------------------+
        | 8961329b-08a2-4c7c-88cf-b5cca43ca678 | rbacnet1 | |
        | d6540930-acb2-48f9-8451-da3c5c7622aa | public | 2b59541a-8e12-499f-88d6-7c79c56fcfe9 |
        +--------------------------------------+----------+--------------------------------------+
        user1 (overcloud) [stack@undercloud-0 ~]$ openstack network rbac create --type network --action access_as_shared --target-project ba08ccc271614bf1add0902f73690bac rbacnet1
        +-------------------+--------------------------------------+
        | Field | Value |
        +-------------------+--------------------------------------+
        | action | access_as_shared |
        | id | e377033b-f374-4fd5-8015-9a7426681d7e |
        | name | None |
        | object_id | 8961329b-08a2-4c7c-88cf-b5cca43ca678 |
        | object_type | network |
        | project_id | 4ff7e3db6d64429db1b39f993bb99411 |
        | target_project_id | ba08ccc271614bf1add0902f73690bac |
        +-------------------+--------------------------------------+
        user1 (overcloud) [stack@undercloud-0 ~]$ openstack subnet create --network rbacnet1 --subnet-range 10.0.100.0/24 --dhcp rbacsubnet1
        +-------------------+--------------------------------------+
        | Field | Value |
        +-------------------+--------------------------------------+
        | allocation_pools | 10.0.100.2-10.0.100.254 |
        | cidr | 10.0.100.0/24 |
        | created_at | 2019-06-19T18:10:50Z |
        | description | |
        | dns_nameservers | |
        | enable_dhcp | True |
        | gateway_ip | 10.0.100.1 |
        | host_routes | |
        | id | c00f565b-e4eb-4bf5-852c-8a22b95911fa |
        | ip_version | 4 |
        | ipv6_address_mode | None |
        | ipv6_ra_mode | None |
        | name | rbacsubnet1 |
        | network_id | 8961329b-08a2-4c7c-88cf-b5cca43ca678 |
        | project_id | 4ff7e3db6d64429db1b39f993bb99411 |
        | revision_number | 0 |
        | segment_id | None |
        | service_types | |
        | subnetpool_id | None |
        | tags | |
        | updated_at | 2019-06-19T18:10:50Z |
        +-------------------+--------------------------------------+

 4. As user2 try to create a port with a fixed IP

        user2 (overcloud) [stack@undercloud-0 ~]$ . user2_rc
        user2 (overcloud) [stack@undercloud-0 ~]$ openstack network list
        +--------------------------------------+----------+--------------------------------------+
        | ID | Name | Subnets |
        +--------------------------------------+----------+--------------------------------------+
        | 8961329b-08a2-4c7c-88cf-b5cca43ca678 | rbacnet1 | c00f565b-e4eb-4bf5-852c-8a22b95911fa |
        | d6540930-acb2-48f9-8451-da3c5c7622aa | public | 2b59541a-8e12-499f-88d6-7c79c56fcfe9 |
        +--------------------------------------+----------+--------------------------------------+
        user2 (overcloud) [stack@undercloud-0 ~]$ openstack network show rbacnet1 | grep shared
        | shared | True |

        user2 (overcloud) [stack@undercloud-0 ~]$ openstack port create portx10 --network rbacnet1 --fixed-ip subnet=rbacsubnet1,ip-address=10.0.100.123
        HttpException: 403: Client Error for url: http://10.0.0.112:9696/v2.0/ports, {"NeutronError": {"message": "(rule:create_port and rule:create_port:fixed_ips) is disallowed by policy", "type": "PolicyNotAuthorized", "detail": ""}}

 5. Creating the port without fixed IP works fine

        user2 (overcloud) [stack@undercloud-0 ~]$ openstack port create portx11 --network rbacnet1
        +-----------------------+----------------------------------------------------------------------------+
        | Field | Value |
        +-----------------------+----------------------------------------------------------------------------+
        | admin_state_up | UP |
        | allowed_address_pairs | |
        | binding_host_id | None |
        | binding_profile | None |
        | binding_vif_details | None |
        | binding_vif_type | None |
        | binding_vnic_type | normal |
        | created_at | 2019-06-19T18:28:49Z |
        | data_plane_status | None |
        | description | |
        | device_id | |
        | device_owner | |
        | dns_assignment | None |
        | dns_domain | None |
        | dns_name | None |
        | extra_dhcp_opts | |
        | fixed_ips | ip_address='10.0.100.15', subnet_id='c00f565b-e4eb-4bf5-852c-8a22b95911fa' |
        | id | 7fe12e20-0e2c-4801-9742-da2eeef63f43 |
        | mac_address | fa:16:3e:99:6e:6b |
        | name | portx11 |
        | network_id | 8961329b-08a2-4c7c-88cf-b5cca43ca678 |
        | port_security_enabled | True |
        | project_id | ba08ccc271614bf1add0902f73690bac |
        | qos_policy_id | None |
        | revision_number | 2 |
        | security_group_ids | 063f4f88-24f8-442d-b1b4-d0f9e5bc4f9b |
        | status | DOWN |
        | tags | |
        | trunk_details | None |
        | updated_at | 2019-06-19T18:28:49Z |
        +-----------------------+----------------------------------------------------------------------------+

Expected result is that the port with fixed IP should be created following the policy.
Even though rule:shared should be honoured, the policy is interpreted within an admin context where the network looks like shared = False.


Actual results:
The port creation is disallowed by policy

Expected results:
The port should be created successfully

Additional info:

Upstream bug: https://bugs.launchpad.net/neutron/+bug/1833455
Comment 5 Slawek Kaplonski 2019-07-11 13:38:44 UTC 
I have prepared hot fix locally. I applied it on test env and checked that it works as expected. If hot fix request will be approved I can provide it here as attachment.
Comment 15 errata-xmlrpc 2019-11-06 16:50:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3750
Comment 16 Madhu Kulkarni 2022-10-17 10:05:18 UTC 
Is it solved? I have RHOSP 16.2 and facing this issue.
Note You need to log in before you can comment on or make changes to this bug.