This user could create provider network before this fix but cannot anymore. There are NO issues creating internal networks by such a user.
Here is the error when trying to create provider network with such a user.
$ openstack network create --provider-network-type vlan --provider-segment 1111 --provider-physical-network physnet1 Test
Error while executing command: HttpException: 403, (((rule:create_network and rule:create_network:provider:physical_network) and rule:create_network:provider:network_type) and rule:create_network:provider:segmentation_id) is disallowed by policy
Adding more details about the regression experienced.
The issue is affecting all users assigned "Admin" role in all domains and projects apart from the admin project.
Here is an extract of novarc file of the user with a token scoped to a project in LDAP domain.
#!/usr/bin/env bash /xxx.xxx. xxx:5000/ v3 ID=<project_ in_ldap_ domain> NAME="xxxx" DOMAIN_ NAME="< ldap_domain_ name>" DOMAIN_ ID="<ldap_ domain_ id>" NAME="xxxx" API_VERSION= 3
export OS_AUTH_URL=https:/
export OS_PROJECT_
export OS_PROJECT_
export OS_USER_
export OS_PROJECT_
export OS_USERNAME=xxxx
export OS_PASSWORD=xxxx
export OS_REGION_
export OS_IDENTITY_
export OS_CACERT=<path>
This user could create provider network before this fix but cannot anymore. There are NO issues creating internal networks by such a user.
Here is the error when trying to create provider network with such a user.
$ openstack network create --provider- network- type vlan --provider-segment 1111 --provider- physical- network physnet1 Test create_ network and rule:create_ network: provider: physical_ network) and rule:create_ network: provider: network_ type) and rule:create_ network: provider: segmentation_ id) is disallowed by policy
Error while executing command: HttpException: 403, (((rule: