OpenStack Neutron API Charm

Bug #1989637
Activity log

Activity log for bug #1989637

Date	Who	What changed	Old value	New value	Message
2022-09-15 01:48:20	Linda Guo	bug			added bug
2022-09-15 01:50:35	Linda Guo	description	By default, only project admin is allowed to update quota, I tried to override neutron-api policy to allow a user with admin role on domain to set quota for network but it doesn't work. I am not sure if this is keystone bug or neutron-api bug >> neutron-api override policy "admin_required": "role:admin", "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s" "get_quota": "rule: admin_and_matching_domain_id" "update_quota": "rule: admin_and_matching_domain_id" "delete_quota": "rule: admin_and_matching_domain_id" 'openstack quota set' returned error: $ openstack quota set --floating-ips 51 1508ac11c7bb41378c09808a1acc8ad6 HttpException: 403: Client Error for url: https://10.5.3.191:9696/v2.0/quotas/1508ac11c7bb41378c09808a1acc8ad6, rule:update_quota is disallowed by policy $ openstack role assignment list --names --user test-user +--------+------------------------+-------+---------------------------+--------------+--------+-----------+ \| Role \| User \| Group \| Project \| Domain \| System \| Inherited \| +--------+------------------------+-------+---------------------------+--------------+--------+-----------+ \| member \| test-user@admin_domain \| \| test-project@admin_domain \| \| \| False \| \| Admin \| test-user@admin_domain \| \| \| admin_domain \| \| False \| +--------+------------------------+-------+---------------------------+--------------+--------+-----------+	By default, only project admin is allowed to update quota, I tried to override neutron-api policy to allow a user with admin role on domain to set quota for network but it doesn't work. I am not sure if this is keystone bug or neutron-api bug >> neutron-api override policy "admin_required": "role:admin", "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s" "get_quota": "rule: admin_and_matching_domain_id" "update_quota": "rule: admin_and_matching_domain_id" "delete_quota": "rule: admin_and_matching_domain_id" >>'openstack quota set' returned error: $ openstack quota set --floating-ips 51 1508ac11c7bb41378c09808a1acc8ad6 HttpException: 403: Client Error for url: https://10.5.3.191:9696/v2.0/quotas/1508ac11c7bb41378c09808a1acc8ad6, rule:update_quota is disallowed by policy >>user role assignment $ openstack role assignment list --names --user test-user +--------+------------------------+-------+---------------------------+--------------+--------+-----------+ \| Role \| User \| Group \| Project \| Domain \| System \| Inherited \| +--------+------------------------+-------+---------------------------+--------------+--------+-----------+ \| member \| test-user@admin_domain \| \| test-project@admin_domain \| \| \| False \| \| Admin \| test-user@admin_domain \| \| \| admin_domain \| \| False \| +--------+------------------------+-------+---------------------------+--------------+--------+-----------+