neutron

disallowed by policy error when user try to create_port with fixed_Ips

Bug #2039464 reported by Satish Patel
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Expired
Medium
Unassigned

Bug Description

OS: Ubuntu 22.04
Openstack Release: Zed
Deployment tool: Kolla-ansible
Neutron Plugin: OVN

I have setup RBAC policy on my external network and here is the policy.yaml file

"create_port:fixed_ips": "rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared"
"create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared"
"create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared"

I have RBAC setup on following network to allow access to specific project to access network.

# openstack network show public-network-948
+---------------------------+----------------------------------------------------------------------------+
| Field | Value |
+---------------------------+----------------------------------------------------------------------------+
| admin_state_up | UP |
| availability_zone_hints | |
| availability_zones | |
| created_at | 2023-09-01T20:31:36Z |
| description | |
| dns_domain | |
| id | 5aacb586-c234-449e-a209-45fc63c8de26 |
| ipv4_address_scope | None |
| ipv6_address_scope | None |
| is_default | False |
| is_vlan_transparent | None |
| mtu | 1500 |
| name | public-network-948 |
| port_security_enabled | True |
| project_id | 1ed68ab792854dc99c1b2d31bf90019b |
| provider:network_type | None |
| provider:physical_network | None |
| provider:segmentation_id | None |
| qos_policy_id | None |
| revision_number | 9 |
| router:external | External |
| segments | None |
| shared | True |
| status | ACTIVE |
| subnets | d36886a2-99d3-4e2b-93ed-9e3cfabf5817, dba7a427-dccb-4a5a-a8e0-23fcda64666d |
| tags | |
| tenant_id | 1ed68ab792854dc99c1b2d31bf90019b |
| updated_at | 2023-10-15T18:13:52Z |
+---------------------------+----------------------------------------------------------------------------+

When normal user try to create port then getting following error:

# openstack port create --network public-network-1 --fixed-ip subnet=dba7a427-dccb-4a5a-a8e0-23fcda64666d,ip-address=204.247.186.133 test1
ForbiddenException: 403: Client Error for url: http://192.168.18.100:9696/v2.0/ports, (rule:create_port and (rule:create_port:fixed_ips and (rule:create_port:fixed_ips:subnet_id and rule:create_port:fixed_ips:ip_address))) is disallowed by policy

openstack in debug output: https://pastebin.com/act1n7cv

Reference Bug:
https://bugs.launchpad.net/neutron/+bug/1808112
https://bugs.launchpad.net/neutron/+bug/1833455

Revision history for this message
Satish Patel (satish-txt) wrote :

#Update

This is how I created RBAC policy to allow access to user00183 project and now users in that project not able to create port with fixed_ips.

# openstack network rbac create --target-project user00183 --action access_as_shared --type network public-network-948

# openstack network rbac show 2235310d-b468-49c6-b722-24901fbaeb0f
+-------------------+--------------------------------------+
| Field | Value |
 +-------------------+--------------------------------------+
| action | access_as_shared |
| id | 2235310d-b468-49c6-b722-24901fbaeb0f |
| object_id | 5aacb586-c234-449e-a209-45fc63c8de26 |
| object_type | network |
| project_id | 1ed68ab792854dc99c1b2d31bf90019b |
| target_project_id | b7ef60710f9a470785a32afa4134342e |
 +-------------------+--------------------------------------+

Revision history for this message
Satish Patel (satish-txt) wrote :

# Update

I have verified that I have the patched in place but still getting error means something else going on - https://review.opendev.org/c/openstack/neutron/+/666816

Brian Haley (brian-haley)
tags: added: access-control
Rodolfo Alonso (rodolfo-alonso-hernandez)
Changed in neutron:
assignee: nobody → Rodolfo Alonso (rodolfo-alonso-hernandez)
importance: Undecided → Medium
Revision history for this message
Rodolfo Alonso (rodolfo-alonso-hernandez) wrote :

Hello:

I can't reproduce this issue. I'm using a devstack deployment in Zed branch. These are the network and the RBAC policies [1]. I'm creating the network from "demo" project and creating the port from "alt_demo". I've tried with external and non-external networks (removing the "access_as_external" RBAC). In any case, if I define the policies defined in the bug description [2], I'm able to create the port with the fixed IPs. If I remove the policies, I can't (as expected).

Some questions:
* Did you check that the policy file contains only these rule definitions? In other words, are these rules by mistake duplicated in any other place?
* Are you modifying the correct policies file? Do you have a "policy.json" and "policy.yaml" file at the same time?
* Is the user of project "user00183" a member or a reader? Can this user create a port without defining the fixed IPs?

Regards.

[1]https://paste.opendev.org/show/bZN0NNqLCrSrVsV3RyaP/
[2]https://paste.opendev.org/show/bWW3SG7SL9I95TYyIkD0/

Changed in neutron:
status: New → Incomplete
Revision history for this message
Satish Patel (satish-txt) wrote :

Hello Rodolfo,

Thank you for taking time to check.

Some questions:
* Did you check that the policy file contains only these rule definitions? In other words, are these rules by mistake duplicated in any other place?

Answer: my policy file contain long list of rules, I have dumped policy.yaml file from oslopolicy tool and modified 3 lists in file and copy it on /etc/neutron/policy.yaml

* Are you modifying the correct policies file? Do you have a "policy.json" and "policy.yaml" file at the same time?

Anwer: yes, I am using policy.yaml

* Is the user of project "user00183" a member or a reader? Can this user create a port without defining the fixed IPs?

Answer: Yes, project is member and user can create port without fixed_ips option.
        Example: openstack port create --network public-network-948 my-port1

In your paste file I have noticed "access_as_external" what is that for. I don't think I have added that or It is something come itself?

Also you have "shared: False" and I have "shared: True" does that make any difference?

Revision history for this message
Satish Patel (satish-txt) wrote :

Nevermind I can see access_as_external

$ openstack network rbac list --long
+--------------------------------------+-------------+--------------------------------------+--------------------+
| ID | Object Type | Object ID | Action |
 +--------------------------------------+-------------+--------------------------------------+--------------------+
| 2235310d-b468-49c6-b722-24901fbaeb0f | network | 5aacb586-c234-449e-a209-45fc63c8de26 | access_as_shared |
| 29304b3c-df9d-4cbb-a556-4e4057cda97a | network | f5cf6691-ef6b-479d-8bbd-5729947ea866 | access_as_shared |
| 33c647a9-063c-4189-beba-2bdb4f3cbc52 | network | cd614d1f-b6ec-4651-aadf-64ee5ed82de4 | access_as_external |
| 412b5a8a-0b90-4632-8cbb-702cc1e688cc | network | 8bfe8adf-a6d7-48b8-8d1b-2a1837e965b6 | access_as_shared |
| 4ddb5fef-d0d3-42cd-b237-9549f86aae1d | network | 6a26ed6e-6842-440f-a43b-d2bd93daaecc | access_as_shared |
| 7006f014-0be0-47d2-947e-3bc6803d8644 | network | f5cf6691-ef6b-479d-8bbd-5729947ea866 | access_as_shared |
| 72b4026a-9bf9-4b2b-ad57-e17b87eaf156 | network | cd614d1f-b6ec-4651-aadf-64ee5ed82de4 | access_as_shared |
| 7987e559-c518-4cdb-a9df-69f79bbe72c2 | network | 6a26ed6e-6842-440f-a43b-d2bd93daaecc | access_as_external |
| 991db33d-f80a-4aa6-88fe-7c5f698b17a7 | network | 8bfe8adf-a6d7-48b8-8d1b-2a1837e965b6 | access_as_external |
| 9fe50b84-3bc0-49c0-9e96-898d7de282f3 | network | 5aacb586-c234-449e-a209-45fc63c8de26 | access_as_shared |
| a62eacd0-a8d0-4c2e-ab53-5685d706da94 | network | 9b53f9a4-6769-4073-b13b-a7de48988d93 | access_as_external |
| a662b6bf-859a-497e-a04e-f12a731f2b1a | network | f6dc2582-ab01-4b88-b344-e976e75f9d8e | access_as_shared |
| bdf4cdbc-ff35-461c-985b-8a54d711561b | network | f6dc2582-ab01-4b88-b344-e976e75f9d8e | access_as_external |
| c4df9c8f-1747-4bfb-a31e-8fccbe96af65 | network | f5cf6691-ef6b-479d-8bbd-5729947ea866 | access_as_external |
| d763a631-ec98-48de-9a19-5b490e5c731e | network | 5aacb586-c234-449e-a209-45fc63c8de26 | access_as_external |
| dbdba838-05ca-46e3-81a7-c9507bc048ec | network | 9b53f9a4-6769-4073-b13b-a7de48988d93 | access_as_shared |
| dd660913-cf5a-47e1-840f-ac94cc108c77 | network | df17184c-a0b3-4cdf-9961-d9a506d9e37a | access_as_shared |
| e3300512-3cf8-428d-8be2-f2b722333426 | network | 5aacb586-c234-449e-a209-45fc63c8de26 | access_as_shared |
| e81abc21-d656-47e7-ad37-36c792d2b107 | network | df17184c-a0b3-4cdf-9961-d9a506d9e37a | access_as_external |
 +--------------------------------------+-------------+--------------------------------------+--------------------+

Revision history for this message
Rodolfo Alonso (rodolfo-alonso-hernandez) wrote :

In "/etc/neutron/neutron.conf", what is the value of "policy_file" and "policy_dirs"?

Revision history for this message
Satish Patel (satish-txt) wrote :

Hi Rodolfo,

I don't have any option or value set in neutron.conf related path so it should be default. I believe its reading policy file using proper path /etc/neutron/policy.yaml

Because last time when I mess up in file which created issue and then I revert policy.yaml file. Should I be adding just 3 lines in policy.yaml or dump or whole file?

Revision history for this message
Rodolfo Alonso (rodolfo-alonso-hernandez) wrote :

Sorry but I can't reproduce locally your issue and I don't know why is failing for you. There should be something else in your environment, different from a new created one, that is interfering with this policy (user permissions, other RBACs, any missing patch, etc).

Changed in neutron:
assignee: Rodolfo Alonso (rodolfo-alonso-hernandez) → nobody
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for neutron because there has been no activity for 60 days.]

Changed in neutron:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.