Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 2250708

Summary: External shared networks may not be seen by other projects
Product: Red Hat OpenStack Reporter: David Hill <dhill>
Component: openstack-containersAssignee: Priscila Gutierres <prgutier>
Status: CLOSED ERRATA QA Contact: Arik Chernetsky <achernet>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 16.2 (Train)CC: apevec, arcsingh, astupnik, ccamposr, chrisw, dciabrin, gkadam, jjoyce, jlibosva, jschluet, jveiraca, lhh, m.andre, pgrist, ralonsoh, scohen, skaplons, vcojot
Target Milestone: asyncKeywords: Regression, Triaged
Target Release: 16.2 (Train on RHEL 8.4)   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openstack-dependencies-container-16.2.6-7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-01-08 15:34:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Hill 2023-11-20 17:45:52 UTC 
Description of problem:
Following minor update from 16.2.5 to 16.2.6, RBAC no longer works for some networks.

2023-11-20 13:26:01.179 32 INFO neutron.pecan_wsgi.hooks.translation [req-35594b55-cf0d-4895-bed0-66d02123990a ad35ecf7666ba6a0b9baa5fef0421ea94258a7c3d28bf164a1f48eb914f6d213 38b5b8cd675d44d298cf6f671795b136 - 62cf1b5ec006489db99e2b0ebfb55f57 62cf1b5ec006489db99e2b0ebfb55f57] POST failed (client error): Tenant 38b5b8cd675d44d298cf6f671795b136 not allowed to create port on this network

Version-Release number of selected component (if applicable):
Latest

How reproducible:
Internally

Steps to Reproduce:
1. Minor update to 16.2.6
2.
3.

Actual results:
Users are no longer able to to create ports in shared/external networks.

Expected results:
No regression.

Additional info:
Comment 3 Jakub Libosvar 2023-11-21 17:10:33 UTC 
It depends on order of how SQL returns records for the rbac. If the shared rbac entry is returned first then it works. If external rbac is returned first then tenants don't see the shared networks since there is GROUP BY clause in the SQL query - created by https://review.opendev.org/c/openstack/neutron-lib/+/884878/1/neutron_lib/db/model_query.py
Comment 24 errata-xmlrpc 2024-01-08 15:34:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Updated Red Hat OpenStack Platform 16.2.6 container images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2024:0082
Comment 25 Slawek Kaplonski 2024-08-29 14:46:05 UTC 
*** Bug 2307326 has been marked as a duplicate of this bug. ***