2250708 – External shared networks may not be seen by other projects

Bug 2250708 - External shared networks may not be seen by other projects

Summary: External shared networks may not be seen by other projects

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-containers
Sub Component:
Version:	16.2 (Train)
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	async
Target Release:	16.2 (Train on RHEL 8.4)
Assignee:	Priscila Gutierres
QA Contact:	Arik Chernetsky
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	2307326 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-11-20 17:45 UTC by David Hill
Modified:	2024-08-29 14:46 UTC (History)
CC List:	18 users (show)
Fixed In Version:	openstack-dependencies-container-16.2.6-7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2024-01-08 15:34:00 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad.net	2044171	None	None	None	2023-11-21 17:58:25 UTC
OpenStack gerrit	901565	None	ABANDONED	Revert "Add a "GROUP BY" clause on queries with RBAC entries"	2023-12-01 14:07:54 UTC
Red Hat Issue Tracker	OSP-30509	None	None	None	2023-11-20 17:46:09 UTC
Red Hat Issue Tracker	RHEL-17464	None	None	None	2023-11-28 10:06:00 UTC
Red Hat Knowledge Base (Solution)	7045612	None	None	None	2023-11-20 17:49:06 UTC
Red Hat Product Errata	RHBA-2024:0082	None	None	None	2024-01-08 15:34:03 UTC

Description David Hill 2023-11-20 17:45:52 UTC

Description of problem:
Following minor update from 16.2.5 to 16.2.6, RBAC no longer works for some networks.

2023-11-20 13:26:01.179 32 INFO neutron.pecan_wsgi.hooks.translation [req-35594b55-cf0d-4895-bed0-66d02123990a ad35ecf7666ba6a0b9baa5fef0421ea94258a7c3d28bf164a1f48eb914f6d213 38b5b8cd675d44d298cf6f671795b136 - 62cf1b5ec006489db99e2b0ebfb55f57 62cf1b5ec006489db99e2b0ebfb55f57] POST failed (client error): Tenant 38b5b8cd675d44d298cf6f671795b136 not allowed to create port on this network

Version-Release number of selected component (if applicable):
Latest

How reproducible:
Internally

Steps to Reproduce:
1. Minor update to 16.2.6
2.
3.

Actual results:
Users are no longer able to to create ports in shared/external networks.

Expected results:
No regression.

Additional info:

Comment 3 Jakub Libosvar 2023-11-21 17:10:33 UTC

It depends on order of how SQL returns records for the rbac. If the shared rbac entry is returned first then it works. If external rbac is returned first then tenants don't see the shared networks since there is GROUP BY clause in the SQL query - created by https://review.opendev.org/c/openstack/neutron-lib/+/884878/1/neutron_lib/db/model_query.py

Comment 24 errata-xmlrpc 2024-01-08 15:34:00 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Updated Red Hat OpenStack Platform 16.2.6 container images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2024:0082

Comment 25 Slawek Kaplonski 2024-08-29 14:46:05 UTC

*** Bug 2307326 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.