OpenStack Heat

OS::Neutron::Router needs property 'tenant_id'

Bug #1246629 reported by Yi Liu on 2013-10-31

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Heat	Invalid	Medium	Unassigned

Bug Description

I tried to create a router through heat template, but failed. And I got the error:
2013-10-31 16:27:08.741 20029 TRACE heat.engine.resource NeutronClientException: Running without keystone AuthN requires that tenant_id is specified

However, I found OS::Neutron::Router doesn't have a 'tenant_id' property.

I'm not sure this is a bug or not? Maybe it is only because I'm missing some configuration for Neutron? I'm now still working on it...

Anyhow, I think it is better for OS::Neutron::Router to have a 'tenant_id' property.

Revision history for this message

Steve Baker (steve-stevebaker) wrote on 2013-10-31:

Resources created by heat should always be scoped to the tenant that created the resource.

So rather than adding a tenant_id property, the create_router call should include the tenant_id from the request context.

Changed in heat:
status:	New → Triaged
importance:	Undecided → High
milestone:	none → icehouse-1

Revision history for this message

Steve Baker (steve-stevebaker) wrote on 2013-10-31:

Hmm, OS::Neutron::Net has a tenant_id attribute for admin created nets, maybe it is appropriate to add tenant_id to Router

Revision history for this message

Angus Salkeld (asalkeld) wrote on 2013-12-02:

*project_id*

Revision history for this message

Steve Baker (steve-stevebaker) wrote on 2013-12-02:

Maybe tenant_id initially, then later deprecate all tenant_id properties when project_id properties are added.

Steve Baker (steve-stevebaker) on 2013-12-04

Changed in heat:
milestone:	icehouse-1 → icehouse-2

Pablo Andres Fuente (pablo-a-fuente) on 2013-12-06

Changed in heat:
assignee:	nobody → Pablo Andres Fuente (pablo-a-fuente)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-12-06: Fix proposed to heat (master)

Fix proposed to branch: master
Review: https://review.openstack.org/60607

Changed in heat:
status:	Triaged → In Progress

Revision history for this message

Steven Hardy (shardy) wrote on 2014-01-04:

As noted in https://review.openstack.org/#/c/60607/ I'm worried we're doing the wrong thing here.

See keysone bug #968696 - there is no such thing as a global admin - all admin role assignment should be scoped per project - so we should not be perpetuating that bug by allowing resources to be leaked between projects/tenants like this.

I'm not sure why this capability exists in neutron - we probably need further discussion of the use-case, but we should not be enabling users to routinely defeat the tenant scoping stated in the request context (derived from the scope of the keystone token, so that is what we should enforce!)

This is basically going in the exact opposite direction of where I think we should be headed, ref the request-scoping-policy bp.

Revision history for this message

Steve Baker (steve-stevebaker) wrote on 2014-01-14:

I'll kick to i-3 for now, but if there is an appropriate way forward which is not this then feel free to mark this as invalid.

Changed in heat:
milestone:	icehouse-2 → icehouse-3

Pablo Andres Fuente (pablo-a-fuente) on 2014-02-13

Changed in heat:
assignee:	Pablo Andres Fuente (pablo-a-fuente) → nobody

Steve Baker (steve-stevebaker) on 2014-02-25

Changed in heat:
status:	In Progress → Triaged
milestone:	icehouse-3 → none

Anant Patil (ananta) on 2014-07-07

Changed in heat:
assignee:	nobody → Anant Patil (ananta)

Anant Patil (ananta) on 2014-09-17

Changed in heat:
assignee:	Anant Patil (ananta) → nobody

Zane Bitter (zaneb) on 2014-12-15

Changed in heat:
importance:	High → Medium

Song Li (lisong-cruise) on 2014-12-17

Changed in heat:
assignee:	nobody → Song Li (lisong-cruise)

Revision history for this message

Song Li (lisong-cruise) wrote on 2014-12-17:

Hi Steve, I am agree with your comment #5

I think project admin should be limited into there own scope. I think the admin scope will be restricted in future.

For neutron, if one admin can create router in another tenant, there will be a big risk for whole environment.

To the issue, if the router can be created successfully with OS_TENANT_NAME configured, I think it should be OK for neutron. Do you agree with this?

Revision history for this message

Song Li (lisong-cruise) wrote on 2014-12-18:

Set the bug #968696 also affect Neutron, waiting the Neutron members reply. If Neutron will limit the admin scope, I think we can close the issue.

Song Li (lisong-cruise) on 2014-12-23

Changed in heat:
status:	Triaged → In Progress

Song Li (lisong-cruise) on 2015-01-07

Changed in heat:
assignee:	Song Li (lisong-cruise) → nobody

Revision history for this message

Song Li (lisong-cruise) wrote on 2015-01-07:

#10

@Steve, @Pablo
I saw network have TENANT_ID, and I don't think Neutron will limit the admin scope in one or two release.
I think we can add tenant_id to make it convenient for users, then remove tenant_id after Neutron limited the scope.
What's your idea?

Song Li (lisong-cruise) on 2015-01-07

Changed in heat:
assignee:	nobody → Song Li (lisong-cruise)

Song Li (lisong-cruise) on 2015-03-25

Changed in heat:
assignee:	Song Li (lisong-cruise) → nobody

Revision history for this message

Steve Baker (steve-stevebaker) wrote on 2015-08-26:

#11

This can be reopened later once it is apparent what the right path is.

Changed in heat:
status:	In Progress → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.