neutron

RBAC "Access_as_external" multiple IDs in target_tenant

Bug #1577101 reported by Alex Stafeyev
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Invalid
Undecided
Unassigned

Bug Description

On an admin tenant, with an admin user, I created an external network. This automatically creates and "access_as_external" action RBAC policy with "*" value for "target_tenant" attribute.

I deleted this RBAC policy and manually create a new one with two tenants IDs in the "target_tenant field".

$ openstack project list
+----------------------------------+----------+
| ID | Name |
+----------------------------------+----------+
| 1cdeee0a38b943859f23750a651db12c | demo |
| 8d3f62906c3949e4a2832df2b86c71e8 | services |
| a654338c862f401a8665c3fbed289a75 | admin |
| b0dc258dd3204bf99750589d1ed23996 | tenantA | <--------
+----------------------------------+----------+

$ neutron rbac-create admin-ext --action access_as_external --target-tenant a654338c862f401a8665c3fbed289a75,b0dc258dd3204bf99750589d1ed23996 --type network
Created a new rbac_policy:
+---------------+-------------------------------------------------------------------+
| Field | Value |
+---------------+-------------------------------------------------------------------+
| action | access_as_external |
| id | 3fc0bc16-685e-431a-8460-85ad5f8c3d96 |
| object_id | 1f2405cd-90ab-439c-9061-e99d9c6c7a35 |
| object_type | network |
| target_tenant | a654338c862f401a8665c3fbed289a75,b0dc258dd3204bf99750589d1ed23996 |
| tenant_id | a654338c862f401a8665c3fbed289a75 |
+---------------+-------------------------------------------------------------------+

$ . keystonerc_tenantA
$ neutron net-list
                                                                          <---- we should see the network
$

Reproduction:
1. create external network.
2. delete its "access_as_external" rbac policy
3. Create a new rbac policy :
neutron rbac-create EXT_NET_ID --action access_as_external --target-tenant TENANT_ID1,TENANT_ID2 --type network

Version:
Mitaka on thel 7.2

$rpm -qa | grep neutron
python-neutron-lib-0.0.2-1.el7.noarch
openstack-neutron-openvswitch-8.0.0-1.el7.noarch
openstack-neutron-8.0.0-1.el7.noarch
python-neutronclient-4.1.1-2.el7.noarch
python-neutron-8.0.0-1.el7.noarch
openstack-neutron-metering-agent-8.0.0-1.el7.noarch
openstack-neutron-ml2-8.0.0-1.el7.noarch
openstack-neutron-common-8.0.0-1.el7.noarch

packstack installation

All In One

See original description
Alex Stafeyev (astafeye)
description: updated
Revision history for this message
Kevin Benton (kevinbenton) wrote :

The appropriate way to create policies for multiple tenants is to create multiple policies.

neutron rbac-create admin-ext --action access_as_external --target-tenant a654338c862f401a8665c3fbed289a75 --type network

neutron rbac-create admin-ext --action access_as_external --target-tenant b0dc258dd3204bf99750589d1ed23996 --type network

Changed in neutron:
status: New → Invalid
Revision history for this message
Alex Stafeyev (astafeye) wrote :

Hi Kevin,
If so, IMHO we should block the ability to insert any value except "*" and and one existing tenant ID. All other options should return a configuration error. Don't you agree?

Revision history for this message
Kevin Benton (kevinbenton) wrote :

Neutron doesn't validate any tenant IDs right now. So enforcing the format of a tenant ID in this particular case would not fit with the rest of the things that accept tenant IDs.

Revision history for this message
Assaf Muller (amuller) wrote :

@Kevin, would it be possible to add a global validator for all tenant_id fields in Neutron, so that we validate that the input is of UUID format? Anything with a comma should be rejected for example.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.