Juniper Openstack

Attaching a port from shared VN to the router is not showing the association

Bug #1332471 reported by Vedamurthy Joshi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Fix Committed
High
Prakash Bailkeri
R1.1
Fix Committed
High
Prakash Bailkeri
Juniper Openstack r1.10-fcs

Bug Description

Build 1.06-47

I have two projects : public and project1
public project has a shared VN public_vn
In project1, i create a VN net2 with subnet 70.0.0.0/24

In project1, I create a router with one port in each of these vns net2 and public_vn

Now, router-port-list of the router shows only 1 port , i.e. one from net2 , but does not show the port from public_vn

In public VN , there is no router present anyway, so the router-port is not seen.

root@nodec34:~# source p1u1rc
root@nodec34:~# neutron router-port-list rtr1
+--------------------------------------+--------------------------------------+-------------------+---------------------------------------------------------------------------------+
| id | name | mac_address | fixed_ips |
+--------------------------------------+--------------------------------------+-------------------+---------------------------------------------------------------------------------+
| 4e90921f-7956-4981-8e52-f7201fc1a564 | 4e90921f-7956-4981-8e52-f7201fc1a564 | 02:4e:90:92:1f:79 | {"subnet_id": "e2f210b4-17be-4d1a-8f49-d4965d36e8e6", "ip_address": "70.0.0.3"} |
+--------------------------------------+--------------------------------------+-------------------+---------------------------------------------------------------------------------+
root@nodec34:~#

curl -i http://10.204.217.19:9696/v2.0/ports.json?device_id=0f865409-d029-427d-be5f-0315bc3c8e38 -X GET -H "X-Auth-Token: <token>" -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-neutronclient"

DEBUG: neutronclient.client RESP:{'date': 'Fri, 20 Jun 2014 09:32:52 GMT', 'status': '200', 'content-length': '537', 'content-type': 'application/json; charset=UTF-8', 'content-location': 'http://10.204.217.19:9696/v2.0/ports.json?device_id=0f865409-d029-427d-be5f-0315bc3c8e38'} {"ports": [{"status": "ACTIVE", "name": "4e90921f-7956-4981-8e52-f7201fc1a564", "admin_state_up": true, "network_id": "333c09f3-bd69-4207-acd5-5f157f8aaeb3", "tenant_id": "bcbac3687162482bb9a59175e58f639b", "device_owner": "network:router_interface", "mac_address": "02:4e:90:92:1f:79", "port_security_enabled": true, "fixed_ips": [{"subnet_id": "e2f210b4-17be-4d1a-8f49-d4965d36e8e6", "ip_address": "70.0.0.3"}], "id": "4e90921f-7956-4981-8e52-f7201fc1a564", "security_groups": [], "device_id": "0f865409-d029-427d-be5f-0315bc3c8e38"}]}

 root@nodec34:~# neutron router-show rtr1
+-----------------------+--------------------------------------+
| Field | Value |
+-----------------------+--------------------------------------+
| admin_state_up | True |
| contrail:fq_name | default-domain |
| | project1 |
| | rtr1 |
| external_gateway_info | |
| id | 0f865409-d029-427d-be5f-0315bc3c8e38 |
| name | rtr1 |
| status | ACTIVE |
| tenant_id | bcbac3687162482bb9a59175e58f639b |
+-----------------------+--------------------------------------+
root@nodec34:~#

root@nodec34:~# source u1rc
root@nodec34:~# neutron router-list

root@nodec34:~#

root@nodec34:~# neutron port-list
+--------------------------------------+--------------------------------------+-------------------+---------------------------------------------------------------------------------------+
| id | name | mac_address | fixed_ips |
+--------------------------------------+--------------------------------------+-------------------+---------------------------------------------------------------------------------------+
| 4993917c-aecc-48bc-9ff8-464d5c1a21cd | 4993917c-aecc-48bc-9ff8-464d5c1a21cd | 02:49:93:91:7c:ae | {"subnet_id": "c5f03354-d586-4f0e-bfdd-f33b01ae124d", "ip_address": "10.204.219.206"} |
| 80743572-95a0-40b7-a298-8594167aa1ff | 80743572-95a0-40b7-a298-8594167aa1ff | 02:80:74:35:72:95 | {"subnet_id": "c5f03354-d586-4f0e-bfdd-f33b01ae124d", "ip_address": "10.204.219.201"} |
+--------------------------------------+--------------------------------------+-------------------+---------------------------------------------------------------------------------------+
root@nodec34:~# neutron port-show 80743572-95a0-40b7-a298-8594167aa1ff
+-----------------------+---------------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+---------------------------------------------------------------------------------------+
| admin_state_up | True |
| device_id | 0f865409-d029-427d-be5f-0315bc3c8e38 |
| device_owner | network:router_interface |
| fixed_ips | {"subnet_id": "c5f03354-d586-4f0e-bfdd-f33b01ae124d", "ip_address": "10.204.219.201"} |
| id | 80743572-95a0-40b7-a298-8594167aa1ff |
| mac_address | 02:80:74:35:72:95 |
| name | 80743572-95a0-40b7-a298-8594167aa1ff |
| network_id | 70534c8c-dcc7-479b-aa8c-26232c8b9c6e |
| port_security_enabled | True |
| security_groups | |
| status | ACTIVE |
| tenant_id | 94a654cbd04a4720b77b0954a63fb2da |
+-----------------------+---------------------------------------------------------------------------------------+
root@nodec34:~# (source /etc/contrail/openstackrc; keystone tenant-list)
+----------------------------------+--------------------+---------+
| id | name | enabled |
+----------------------------------+--------------------+---------+
| 3efa69ee0574412f819672c3ab3613c2 | admin | True |
| f3fe85e3ff314b02a3b70964eb062c34 | demo | True |
| db8ba4300aee4b7a8a8bb1db6e7eb79d | invisible_to_admin | True |
| bcbac3687162482bb9a59175e58f639b | project1 | True |
| aed7d6245bbe45febc9e5589fe0d8c41 | project2 | True |
| af36fbda1075477db1359db11af956b6 | project3 | True |
| 94a654cbd04a4720b77b0954a63fb2da | public | True |
| 98d3b3a7d963449f9cb58be8766364ec | service | True |
+----------------------------------+--------------------+---------+
root@nodec34:~#

root@nodec34:~# cat p1u1rc
export OS_USERNAME=p1u1
export OS_PASSWORD=p1u1
export OS_TENANT_NAME=project1
export OS_AUTH_URL=http://10.204.217.19:5000/v2.0/
export OS_NO_CACHE=1
root@nodec34:~# cat u1rc
export OS_USERNAME=u1
export OS_PASSWORD=u1
export OS_TENANT_NAME=public
export OS_AUTH_URL=http://10.204.217.19:5000/v2.0/
export OS_NO_CACHE=1
root@nodec34:~#

Ashish Ranjan (aranjan-n)
information type: Proprietary → Public
Revision history for this message
Sachin Bansal (sbansal) wrote :

I checked this and even though our plugin returns both the ports, neutron itself is dropping one of the ports because it doesn't match the tenant id from context. Could you please try this on devstack and let me know the behavior?

Revision history for this message
Sachin Bansal (sbansal) wrote :

I am inclined to believe that this is intended behavior. A non-admin user should not be able to ports from another tenant. Let me know if you think otherwise.

Revision history for this message
Vedamurthy Joshi (vedujoshi) wrote :
Download full text (8.0 KiB)

Sachin,
   Verified with nodec43 (openstack + openvswitch)

The behavior is different in two ways:
1) In std openstack, it doesnt let me create a port for router from another tenant unless the user had admin role on that project

2) router-port-list does show the port from the shared VN in the current project.

root@nodec43:~# neutron net-show net_1_1
+---------------------------+--------------------------------------+
| Field | Value |
 +---------------------------+--------------------------------------+
| admin_state_up | True |
| id | 02b7d689-ea66-4d7b-9373-658f10ad1012 |
| name | net_1_1 |
| provider:network_type | gre |
| provider:physical_network | |
| provider:segmentation_id | 3 |
| router:external | False |
| shared | True |
| status | ACTIVE |
| subnets | 6f63e3e3-0bc0-4bfd-bf08-dbe562ac5fe5 |
| tenant_id | 3136f090ef9c493e9c70184ce678482c |
 +---------------------------+--------------------------------------+
root@nodec43:~#

root@nodec43:~# source openrc
root@nodec43:~# export OS_TENANT_NAME=project2
root@nodec43:~# neutron router-create router2
Created a new router:
+-----------------------+--------------------------------------+
| Field | Value |
 +-----------------------+--------------------------------------+
| admin_state_up | True |
| external_gateway_info | |
| id | f48f38d8-7f9d-426c-976d-156c95a8b914 |
| name | router2 |
| status | ACTIVE |
| tenant_id | 5ca0a1c56d47409c90befe31521c7eac |
 +-----------------------+--------------------------------------+
root@nodec43:~#

root@nodec43:~# neutron router-interface-add f48f38d8-7f9d-426c-976d-156c95a8b914 6f63e3e3-0bc0-4bfd-bf08-dbe562ac5fe5
{"NeutronError": {"message": "User does not have admin privileges: Cannot create resource for another tenant", "type": "AdminRequired", "detail": ""}}
root@nodec43:~#

I then made 'admin' user to be of role "admin" in project1

root@nodec43:~# set |grep OS_
OS_AUTH_URL=http://10.204.217.83:5000/v2.0
OS_PASSWORD=password
OS_TENANT_NAME=project2
OS_USERNAME=admin
root@nodec43:~#

root@nodec43:~# neutron router-interface-add f48f38d8-7f9d-426c-976d-156c95a8b914 6f63e3e3-0bc0-4bfd-bf08-dbe562ac5fe5
Added interface 9f28d338-7b4b-48c8-a75d-7b344c88bdfb to router f48f38d8-7f9d-426c-976d-156c95a8b914.
root@nodec43:~#

root@nodec43:~# neutron router-list
+--------------------------------------+-----------+-----------------------+
| id | name | external_gateway_info |
 +--------------------------------------+-------...

Read more...

Vedamurthy Joshi (vedujoshi)
tags: added: neutronapi
Nagabhushana R (bhushana)
Changed in juniperopenstack:
milestone: r1.06-fcs → r1.10-fcs
Revision history for this message
Ashish Ranjan (aranjan-n) wrote :

This should be fixed now, as now the ports parent is project. So tenant ID is now set from project.

Revision history for this message
Prakash Bailkeri (prakashmb) wrote :

This bug is not yet fixed in R1.10/master.

The issue is contrail plugin would allow port creation on a tenant (different from context tenant even if user is not admin).

Stock devstack doesn’t allow adding a router port belonging to a shared VN unless user is admin. This check is missing in contrail plugin.

Neutron code(in db/db_base_plugin_v2.py) has API to validate such cases. _get_tenant_id_for_create. This function is called fro many create method for validation.

I made a change to bring this to contrail plugin.

https://review.opencontrail.org/#/c/2036/

Changed in juniperopenstack:
status: New → In Progress
Revision history for this message
Prakash Bailkeri (prakashmb) wrote :

https://github.com/Juniper/contrail-controller/commit/90296f65ae499ea802889b6505588d4720216882

Changed in juniperopenstack:
status: In Progress → Fix Committed
Revision history for this message
Nagabhushana R (bhushana) wrote :

Above link points to R1.1 checkin, please mark the main scope fixed once you checkin into mainline.

Changed in juniperopenstack:
milestone: r1.10-fcs → none
status: Fix Committed → In Progress
Revision history for this message
Prakash Bailkeri (prakashmb) wrote :

https://github.com/Juniper/contrail-controller/commit/877b628b77576d1245fe4224cac9e291e615436b

Changed in juniperopenstack:
status: In Progress → Fix Committed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.