neutron

RBAC "Access_as_external" policy update

Bug #1577100 reported by Alex Stafeyev
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Medium
Kevin Benton

Bug Description

I was trying update "target_tenant" field in the existing RBAC policy, The policy is "access_as_external" policy.

On an admin tenant, with an admin user, I created an external network. This automatically creates and "access_as_external" action RBAC policy with "*" value for "target_tenant" attribute.

+---------------+--------------------------------------+
| Field | Value |
+---------------+--------------------------------------+
| action | access_as_external |
| id | f09399eb-1829-4675-8155-4972b4378b9c |
| object_id | 0ff86006-8d7d-4e9b-ba11-960c7ff50dae |
| object_type | network |
| target_tenant | * |
| tenant_id | a654338c862f401a8665c3fbed289a75 |
+---------------+--------------------------------------+

I wanted to update the RBAC policy but encountered the following error:
"neutron rbac-update f09399eb-1829-4675-8155-4972b4378b9c --target_tenant a654338c862f401a8665c3fbed289a75
RBAC policy on object 0ff86006-8d7d-4e9b-ba11-960c7ff50dae cannot be removed because other objects depend on it.
Details: Callback neutron.plugins.ml2.plugin.Ml2Plugin._validate_ext_not_in_use_by_tenant failed with "'policy_tenant'"
Neutron server returns request_ids: ['req-218d22bd-f484-41e3-9908-798bb93ae149']"

The external network is not in use by any router/or any other object.

Reproduction steps:

Create a network with " router:external" attribute ( external network)
See rbac policy list and show the existing rbac policy for the external network (see object_id = network_id)
execute "neutron rbac-update RBACPOLICYID --target_tenant DESIRED_TENANT_ID"

Version:
MITAKA on rhel 7.2

$rpm -qa | grep neutron
python-neutron-lib-0.0.2-1.el7.noarch
openstack-neutron-openvswitch-8.0.0-1.el7.noarch
openstack-neutron-8.0.0-1.el7.noarch
python-neutronclient-4.1.1-2.el7.noarch
python-neutron-8.0.0-1.el7.noarch
openstack-neutron-metering-agent-8.0.0-1.el7.noarch
openstack-neutron-ml2-8.0.0-1.el7.noarch
openstack-neutron-common-8.0.0-1.el7.noarch

AllInOne environment. (packstack installation)

See original description
Alex Stafeyev (astafeye)
description: updated
Kevin Benton (kevinbenton)
Changed in neutron:
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Kevin Benton (kevinbenton)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/311897

Changed in neutron:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/311897
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=89297919a73c1e7f86c61d08f3f3d15278f5763a
Submitter: Jenkins
Branch: master

commit 89297919a73c1e7f86c61d08f3f3d15278f5763a
Author: Kevin Benton <email address hidden>
Date: Fri Apr 29 23:24:34 2016 -0700

    Fix update target tenant RBAC external path

    This fixes the logic to allow updates to wildcard RBAC external
    policies. It was broken for two reasons: first, it was using the
    wrong kwarg, second, it wasn't considering the target tenant when
    determining if the policy was required.

    This patch fixes both issues and adds an API test exercising the
    update path.

    Closes-Bug: #1577100
    Change-Id: Id7441ab5c3f3667aa1cc48100286a2a9d480e201

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/315264

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/mitaka)

Reviewed: https://review.openstack.org/315264
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=c98c866e8c9e0c136791832bb32e28623aee5ea5
Submitter: Jenkins
Branch: stable/mitaka

commit c98c866e8c9e0c136791832bb32e28623aee5ea5
Author: Kevin Benton <email address hidden>
Date: Fri Apr 29 23:24:34 2016 -0700

    Fix update target tenant RBAC external path

    This fixes the logic to allow updates to wildcard RBAC external
    policies. It was broken for two reasons: first, it was using the
    wrong kwarg, second, it wasn't considering the target tenant when
    determining if the policy was required.

    This patch fixes both issues and adds an API test exercising the
    update path.

    Closes-Bug: #1577100
    Change-Id: Id7441ab5c3f3667aa1cc48100286a2a9d480e201
    (cherry picked from commit 89297919a73c1e7f86c61d08f3f3d15278f5763a)

tags: added: in-stable-mitaka
Revision history for this message
Thierry Carrez (ttx) wrote : Fix included in openstack/neutron 8.1.1

This issue was fixed in the openstack/neutron 8.1.1 release.

Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/neutron 9.0.0.0b1

This issue was fixed in the openstack/neutron 9.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.