neutron

External shared networks may not be seen by other projects

Bug #2044171 reported by Jakub Libosvar
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
Invalid
Medium
Jakub Libosvar

Bug Description

External shared networks each create its own RBAC entry. If there is a project that access the network through the shared attribute then it may not work. It depends on how mysql returns the records, then using GROUP BY clause it will use the first returned - meaning that if access_as_external is the first record returned, the network will be not treated as shared as it won't match here: https://opendev.org/openstack/neutron/src/commit/cbca72195ae5976d6f8b10bbbd58bde3542956bf/neutron/pecan_wsgi/hooks/ownership_validation.py#L45

This is a regression caused by https://review.opendev.org/c/openstack/neutron-lib/+/884878/1/neutron_lib/db/model_query.py

See original description
Jakub Libosvar (libosvar)
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-lib (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron-lib/+/901565

Changed in neutron:
status: New → In Progress
Oleg Bondarev (obondarev)
Changed in neutron:
importance: Undecided → Medium
assignee: nobody → Jakub Libosvar (libosvar)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron-lib (master)

Change abandoned by "Jakub Libosvar <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/neutron-lib/+/901565
Reason: Not relevant for master

Jakub Libosvar (libosvar)
Changed in neutron:
status: In Progress → Invalid
Revision history for this message
Maximiliano Geier (mgeier85) wrote :

Hi,
I was wondering why this change got abandoned. I'm currently the Wallaby branch (RDO containers from November 2023) and am affected by this same bug.

My test scenario:

- Create private network net on project admin.
- Share net using RBAC rule with project tenant1.
- Share net using RBAC rule with project tenant2.

Observed result:

- Only tenant2 is able to see the network.

Expected result:

- tenant1 and tenant2 should be able to see the network.

I also came independently to the proposed 'group by' fix, which is working for me, but I would like this to be accepted into the master branch.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.