neutron

rbac shared network add_router_interface fails for non-admin

Bug #1662477 reported by Maurice Escher on 2017-02-07

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	neutron	Invalid	Undecided	Unassigned

Bug Description

We are on mitaka and use rbac to share private networks.
We defined in the neutron policy that non-admin users can attach router interfaces, but this fails on shared networks, because rbac is not taken into account here: https://github.com/openstack/neutron/blob/a0e0e8b6686b847a4963a6aa6a3224b5768544e6/neutron/api/v2/attributes.py#L372

The related error, that led me to that line is this: http://paste.openstack.org/show/597918/

And this is still present in master: https://github.com/openstack/neutron/blob/1c5bf09a03b0fe463ba446d2a19087be7a0504a7/neutron/api/v2/attributes.py#L372

I'm happy to give more details, if needed.

Tags:

Armando Migliaccio (armando-migliaccio) on 2017-02-07

tags:

added: access-control

Anindita Das (anindita-das) on 2017-02-08

Changed in neutron:
assignee:	nobody → Anindita Das (anindita-das)

Revision history for this message

songminglong (songminglong) wrote on 2017-03-17:

I could not reproduce the bug

Revision history for this message

Maurice Escher (maurice-escher) wrote on 2017-03-17:

These are the steps needed to reproduce:

- in project A create a router:external=false aka private network
- create a rbac to share the network with project B (B is target_tenant, action is access_as_shared)
- in project B create a router
- in project B as a non-admin (meaning whatever you have in your policy for the 'context_is_admin' rule must not match) try to attach a router interface with a subnet of the above network to the router

Hint: maybe you need to adjust the policy to allow non-admins to create a router interface, this is separately configurable via the policy rule 'add_router_interface'.

Anindita Das (anindita-das) on 2017-03-20

Changed in neutron:
assignee:	Anindita Das (anindita-das) → nobody

Revision history for this message

Rodolfo Alonso (rodolfo-alonso-hernandez) wrote on 2024-01-30:

Hello:

I can't reproduce this bug with newer versions. I'll close it.

Regards.

Changed in neutron:
status:	New → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.