disallowed by policy error when user try to create_port with fixed_Ips
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Expired
|
Medium
|
Unassigned |
Bug Description
OS: Ubuntu 22.04
Openstack Release: Zed
Deployment tool: Kolla-ansible
Neutron Plugin: OVN
I have setup RBAC policy on my external network and here is the policy.yaml file
"create_
"create_
"create_
I have RBAC setup on following network to allow access to specific project to access network.
# openstack network show public-network-948
+------
| Field | Value |
+------
| admin_state_up | UP |
| availability_
| availability_zones | |
| created_at | 2023-09-
| description | |
| dns_domain | |
| id | 5aacb586-
| ipv4_address_scope | None |
| ipv6_address_scope | None |
| is_default | False |
| is_vlan_transparent | None |
| mtu | 1500 |
| name | public-network-948 |
| port_security_
| project_id | 1ed68ab792854dc
| provider:
| provider:
| provider:
| qos_policy_id | None |
| revision_number | 9 |
| router:external | External |
| segments | None |
| shared | True |
| status | ACTIVE |
| subnets | d36886a2-
| tags | |
| tenant_id | 1ed68ab792854dc
| updated_at | 2023-10-
+------
When normal user try to create port then getting following error:
# openstack port create --network public-network-1 --fixed-ip subnet=
ForbiddenException: 403: Client Error for url: http://
openstack in debug output: https:/
Reference Bug:
https:/
https:/
tags: | added: access-control |
Changed in neutron: | |
assignee: | nobody → Rodolfo Alonso (rodolfo-alonso-hernandez) |
importance: | Undecided → Medium |
#Update
This is how I created RBAC policy to allow access to user00183 project and now users in that project not able to create port with fixed_ips.
# openstack network rbac create --target-project user00183 --action access_as_shared --type network public-network-948
# openstack network rbac show 2235310d- b468-49c6- b722-24901fbaeb 0f ------- ------+ ------- ------- ------- ------- ------- ---+ ------- ------+ ------- ------- ------- ------- ------- ---+ b468-49c6- b722-24901fbaeb 0f | c234-449e- a209-45fc63c8de 26 | 99c1b2d31bf9001 9b | 785a32afa413434 2e | ------- ------+ ------- ------- ------- ------- ------- ---+
+------
| Field | Value |
+------
| action | access_as_shared |
| id | 2235310d-
| object_id | 5aacb586-
| object_type | network |
| project_id | 1ed68ab792854dc
| target_project_id | b7ef60710f9a470
+------