neutron

Cannot set --no-share on shared network covered also by "access_as_shared" RBAC policy

Bug #1764330 reported by Slawek Kaplonski
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Medium
Slawek Kaplonski

Bug Description

There is no possibility to set network as not shared if it was also shared via RBAC policy for some specific tenant.

How to reproduce bug:

1. Create 2 projects (tenants): tenantA and tenantB
2. TenantA creates an external network (ext_net_A) + subnet
3. For the external network neutron automatically creates a wildcard 'access_as_external' RBAC rule
4. TenantA can create a new port on ext_net_A; TenantB is not allowed to do the same
5. Create a new 'access_as_shared' RBAC rule granting TenantB access to ext_net_A
6. TenantB is now able to create a port on ext_net_A
7. TenantA sets the shared flag to True on ext_net_A (openstack network set --share <net ID>), which creates a new wildcard 'access_as_shared' RBAC rule
8. TenantA tries to unshare ext_net_A (openstack network set --no-share <net ID>), which fails with: HttpException: Conflict

There were no ports added or any other changes made to ext_net_A between sharing and unsharing it.
Neutron should be able to unshare the network since the only tenant using it (tenantB) is already covered by a specific RBAC rule created in step 5.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/561589

Changed in neutron:
status: Confirmed → In Progress
YAMAMOTO Takashi (yamamoto)
tags: added: access-control
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/561589
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=7aa941cc09aef8efe54f5bac111248d296e9c8ef
Submitter: Zuul
Branch: master

commit 7aa941cc09aef8efe54f5bac111248d296e9c8ef
Author: Sławek Kapłoński <email address hidden>
Date: Mon Apr 16 13:17:17 2018 +0200

    [RBAC] Fix setting network as not shared

    In case when network was shared with specified project
    by RBAC rule and it was also set as "shared" there was
    a bug which forbid to set such network as not shared even
    if only projects which still used network was owner and
    project with specified RBAC rule.

    This patch fixes it by adding additional check in
    NeutronDbPluginV2._validate_shared_update() in such case.

    Change-Id: I6ab05a8f0ece454f5bef8ba978af05f5fa1354d8
    Closes-Bug: #1764330

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/562963

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/queens)

Reviewed: https://review.openstack.org/562963
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=d604e831e8a5f3fc8fd489fade5dd821cec84de9
Submitter: Zuul
Branch: stable/queens

commit d604e831e8a5f3fc8fd489fade5dd821cec84de9
Author: Sławek Kapłoński <email address hidden>
Date: Mon Apr 16 13:17:17 2018 +0200

    [RBAC] Fix setting network as not shared

    In case when network was shared with specified project
    by RBAC rule and it was also set as "shared" there was
    a bug which forbid to set such network as not shared even
    if only projects which still used network was owner and
    project with specified RBAC rule.

    This patch fixes it by adding additional check in
    NeutronDbPluginV2._validate_shared_update() in such case.

    Change-Id: I6ab05a8f0ece454f5bef8ba978af05f5fa1354d8
    Closes-Bug: #1764330
    (cherry picked from commit 7aa941cc09aef8efe54f5bac111248d296e9c8ef)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/563509

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/pike)

Reviewed: https://review.openstack.org/563509
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=1d3568da772dfba989f6b0f18a99f6d02860c2a6
Submitter: Zuul
Branch: stable/pike

commit 1d3568da772dfba989f6b0f18a99f6d02860c2a6
Author: Sławek Kapłoński <email address hidden>
Date: Mon Apr 16 13:17:17 2018 +0200

    [RBAC] Fix setting network as not shared

    In case when network was shared with specified project
    by RBAC rule and it was also set as "shared" there was
    a bug which forbid to set such network as not shared even
    if only projects which still used network was owner and
    project with specified RBAC rule.

    This patch fixes it by adding additional check in
    NeutronDbPluginV2._validate_shared_update() in such case.

    Change-Id: I6ab05a8f0ece454f5bef8ba978af05f5fa1354d8
    Closes-Bug: #1764330
    (cherry picked from commit 7aa941cc09aef8efe54f5bac111248d296e9c8ef)

tags: added: in-stable-pike
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 11.0.4

This issue was fixed in the openstack/neutron 11.0.4 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 12.0.2

This issue was fixed in the openstack/neutron 12.0.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 13.0.0.0b2

This issue was fixed in the openstack/neutron 13.0.0.0b2 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.