OpenStack Heat

Stack creation fails for non-admin user if external_gateway_info is set in OS::Neutron::Router properties

Bug #1306593 reported by Ala Rezmerita
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Heat
Fix Released
Medium
Thomas Herve
OpenStack Heat 2014.2 "juno"
Icehouse
Fix Released
Medium
Attila Fazekas
OpenStack Heat 2014.1.1

Bug Description

I have this template:

heat_template_version: 2013-05-23
description: Template that fails
parameters:
  external_network:
    constraints:
    - custom_constraint: neutron.network
    description: Network
    type: string
resources:
  my_router:
    type: OS::Neutron::Router
    properties:
      admin_state_up: true
      external_gateway_info:
        network:
          get_param: external_network
      name: my_router

The stack creation fails with the message: Create_Failed: Resource CREATE failed: NeutronClientException: Policy doesn't allow create_router to be performed.

In fact when an external_gateway_info is given in router properties, heat will add enable_snat parameter to router creation request, that is restricted to admin role in neutron policy.json:
"create_router:external_gateway_info:enable_snat": "rule:admin_only"

Thomas Herve (therve)
Changed in heat:
milestone: none → juno-1
assignee: nobody → Thomas Herve (therve)
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to heat (master)

Fix proposed to branch: master
Review: https://review.openstack.org/87077

Changed in heat:
status: New → In Progress
Revision history for this message
Openstack Gerrit (openstack-gerrit) wrote : Fix merged to heat (master)

Reviewed: https://review.openstack.org/87077
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=d7836e922577f8fad4a2fba4658d4f74ed8a2e4a
Submitter: Jenkins
Branch: master

commit d7836e922577f8fad4a2fba4658d4f74ed8a2e4a
Author: Thomas Herve <email address hidden>
Date: Fri Apr 11 17:32:52 2014 +0200

    Don't pass enable_snat by default in Router

    The patch removes the default for enable_snat in the Router resource and
    removes the value if not specified, to make it possible for non-admin
    users to create routers: a policy rule in neutron forbids non-admin to
    pass the enable_snat value.

    It doesn't break backward compatibility as enable_snat is the default in
    neutron.

    Co-Authored-By: <email address hidden>
    Closes-Bug: #1306593
    Change-Id: Ib9d31f7e0a246bcaa663aaa74755526f8e31df7e

Changed in heat:
status: In Progress → Fix Committed
Revision history for this message
Openstack Gerrit (openstack-gerrit) wrote : Fix proposed to heat (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/90641

Revision history for this message
Openstack Gerrit (openstack-gerrit) wrote : Fix merged to heat (stable/icehouse)

Reviewed: https://review.openstack.org/90641
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=27557c9abd453f028ec7eb9d01952c2c865dd614
Submitter: Jenkins
Branch: stable/icehouse

commit 27557c9abd453f028ec7eb9d01952c2c865dd614
Author: Thomas Herve <email address hidden>
Date: Fri Apr 11 17:32:52 2014 +0200

    Don't pass enable_snat by default in Router

    The patch removes the default for enable_snat in the Router resource and
    removes the value if not specified, to make it possible for non-admin
    users to create routers: a policy rule in neutron forbids non-admin to
    pass the enable_snat value.

    It doesn't break backward compatibility as enable_snat is the default in
    neutron.

    Co-Authored-By: <email address hidden>
    Closes-Bug: #1306593
    Change-Id: Ib9d31f7e0a246bcaa663aaa74755526f8e31df7e
    (cherry picked from commit d7836e922577f8fad4a2fba4658d4f74ed8a2e4a)

tags: added: in-stable-icehouse
Alan Pevec (apevec)
tags: removed: in-stable-icehouse
Thierry Carrez (ttx)
Changed in heat:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in heat:
milestone: juno-1 → 2014.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.