neutron

[RFE] RBAC: Allow user to create port from specific subnet on shared network

Bug #1543756 reported by Stephen Ma
24
This bug affects 5 people
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Wishlist
Unassigned
neutron queens-3

Bug Description

The network demo-net, owned by user demo, is shared with tenant demo-2. The sharing is created by demo using the command

neutron rbac-create --type network --action access_as_shared --target-tenant <demo-2-tenant-id> demo-net

A user on the demo-2 tenant is can see the network demo-net:

stack@Ubuntu-38:~/DEVSTACK/demo$ neutron net-list
+--------------------------------------+----------+--------------------------------------------------+
| id | name | subnets |
+--------------------------------------+----------+--------------------------------------------------+
| 85bb7612-e5fa-440c-bacf-86c5929298f3 | demo-net | e66487b6-430b-4fb1-8a87-ed28dd378c43 10.1.2.0/24 |
| | | ff01f7ca-d838-42dc-8d86-1b2830bc4824 10.1.3.0/24 |
| 5beb4080-4cf0-4921-9bbf-a7f65df6367f | public | 57485a80-815c-45ef-a0d1-ce11939d7fab |
| | | 38d1ddad-8084-4d32-b142-240e16fcd5df |
+--------------------------------------+----------+--------------------------------------------------+

The owner of network demo-net is able to create a port using the command 'neutron port-create demo-net --fixed-ip ... :
stack@Ubuntu-38:~/DEVSTACK/devstack$ neutron port-create demo-net --fixed-ip subnet_id=ff01f7ca-d838-42dc-8d86-1b2830bc4824
Created a new port:
+-----------------------+---------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+---------------------------------------------------------------------------------+
| admin_state_up | True |
| allowed_address_pairs | |
| binding:vnic_type | normal |
| device_id | |
| device_owner | |
| dns_name | |
| fixed_ips | {"subnet_id": "ff01f7ca-d838-42dc-8d86-1b2830bc4824", "ip_address": "10.1.3.6"} |
| id | 37402f22-fcd5-4b01-8b01-c6734573d7a8 |
| mac_address | fa:16:3e:44:71:ad |
| name | |
| network_id | 85bb7612-e5fa-440c-bacf-86c5929298f3 |
| security_groups | 7db11aa0-3d0d-40d1-ae25-e4c02b8886ce |
| status | DOWN |
| tenant_id | 54913ee1ca89458ba792d685c799484d |
+-----------------------+---------------------------------------------------------------------------------+

The user demo-2 of tenant demo-2 is able to create a port using the network demo-net:

stack@Ubuntu-38:~/DEVSTACK/demo$ neutron port-create demo-net
Created a new port:
+-----------------------+---------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+---------------------------------------------------------------------------------+
| admin_state_up | True |
| allowed_address_pairs | |
| binding:vnic_type | normal |
| device_id | |
| device_owner | |
| dns_name | |
| fixed_ips | {"subnet_id": "ff01f7ca-d838-42dc-8d86-1b2830bc4824", "ip_address": "10.1.3.5"} |
| id | bab87cc9-2c83-489d-a973-1a42872a3dd4 |
| mac_address | fa:16:3e:c6:93:e5 |
| name | |
| network_id | 85bb7612-e5fa-440c-bacf-86c5929298f3 |
| security_groups | 465c1c6f-e974-40e0-826e-72a2cc7d3fa4 |
| status | DOWN |
| tenant_id | 3dd36d3f99494454bd4f887201684b63 |
+-----------------------+---------------------------------------------------------------------------------+

If the same user wants to create a port on demo-net using with a fixed IP on the 10.1.2.0/24 subnet. The port creation failed:

stack@Ubuntu-38:~/DEVSTACK/demo$ neutron port-create demo-net --fixed-ip subnet_id=ff01f7ca-d838-42dc-8d86-1b2830bc4824
(rule:create_port and rule:create_port:fixed_ips) on {'binding:host_id': <object object at 0x7f1935be82a0>, 'name': '', 'allowed_address_pairs': <object object at 0x7f1935be82a0>, u'admin_state_up': True, u'network_id': u'85bb7612-e5fa-440c-bacf-86c5929298f3', 'tenant_id': u'3dd36d3f99494454bd4f887201684b63', 'extra_dhcp_opts': None, 'mac_address': <object object at 0x7f1935be82a0>, 'binding:vnic_type': 'normal', 'device_owner': '', 'dns_name': '', 'binding:profile': <object object at 0x7f1935be82a0>, u'fixed_ips': [{u'subnet_id': u'ff01f7ca-d838-42dc-8d86-1b2830bc4824'}], u'network:tenant_id': u'54913ee1ca89458ba792d685c799484d', 'security_groups': <object object at 0x7f1935be82a0>, 'device_id': ''} by {'domain': None, 'project_name': u'demo-2', 'tenant_name': u'demo-2', 'project_domain': None, 'timestamp': '2016-02-09 19:20:48.555574', 'auth_token': 'afa5047cd78b4774a6fd3ab3944f3f97', 'resource_uuid': None, 'is_admin': False, 'user': u'ca2f2bb189e6401c9c27214d4aa33563', 'tenant': u'3dd36d3f99494454bd4f887201684b63', 'read_only': False, 'project_id': u'3dd36d3f99494454bd4f887201684b63', 'user_id': u'ca2f2bb189e6401c9c27214d4aa33563', 'show_deleted': False, 'roles': [u'_member_'], 'user_identity': 'ca2f2bb189e6401c9c27214d4aa33563 3dd36d3f99494454bd4f887201684b63 - - -', 'tenant_id': u'3dd36d3f99494454bd4f887201684b63', 'request_id': 'req-7de91903-43ed-4940-a645-3418d10413ec', 'user_domain': None, 'user_name': u'demo-2'} disallowed by policy
stack@Ubuntu-38:~/DEVSTACK/devstack$

The rbac rule for sharing of network demo-net with tenant "demo-2" is:
stack@Ubuntu-38:~/DEVSTACK/devstack$ neutron rbac-show ea979774-8383-4a7e-8cbe-50bbd58855e5
+---------------+--------------------------------------+
| Field | Value |
+---------------+--------------------------------------+
| action | access_as_shared |
| id | ea979774-8383-4a7e-8cbe-50bbd58855e5 |
| object_id | 85bb7612-e5fa-440c-bacf-86c5929298f3 |
| object_type | network |
| target_tenant | 3dd36d3f99494454bd4f887201684b63 |
| tenant_id | 54913ee1ca89458ba792d685c799484d |
+---------------+--------------------------------------+

Stephen Ma (stephen-ma)
summary: - BAC: Port creation on a shared network failed if --fixed-ip is specified
+ RBAC: Port creation on a shared network failed if --fixed-ip is
+ specified
summary: RBAC: Port creation on a shared network failed if --fixed-ip is
- specified
+ specified in 'neutron port-create' command
Reedip (reedip-banerjee-deactivatedaccount)
Changed in neutron:
assignee: nobody → Reedip (reedip-banerjee)
Revision history for this message
Kevin Benton (kevinbenton) wrote : Re: RBAC: Port creation on a shared network failed if --fixed-ip is specified in 'neutron port-create' command

We can't let people that don't own the network select their own fixed IP. Using the fixed IP field, someone can pick addresses outside of the allocation pool so it's restricted to an owner-only operation.

It might be worth discussion if we should allow them to select a subnet_id but not a specific IP. Maybe change this to an RFE because it's going to be a policy change that we need to carefully consider.

Changed in neutron:
status: New → Opinion
Stephen Ma (stephen-ma)
tags: added: rfe
Revision history for this message
Peter Slovak (slovak-peto) wrote :

@stephen-ma If you're not concerned with the other tenant having elevated privileges over the rbac-shared network, you can assign the user the "advsvc" role in that tenant. But beware, this opens up a lot of network management possibilities to the user, see neutron's policy.json for details.

Revision history for this message
Stephen Ma (stephen-ma) wrote :

@slovak-peto A target-tenant can create a port on the network using the command "neutron port-create <network-id>" without having the advsvc role. When the network has more than 1 subnet, the target tenant should be able to create a port using the subnet desired instead of settling for the default subnet.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/432850

Changed in neutron:
status: Opinion → In Progress
John Davidge (john-davidge)
summary: - RBAC: Port creation on a shared network failed if --fixed-ip is
+ [RFE] RBAC: Port creation on a shared network failed if --fixed-ip is
specified in 'neutron port-create' command
summary: - [RFE] RBAC: Port creation on a shared network failed if --fixed-ip is
- specified in 'neutron port-create' command
+ [RFE] RBAC: Allow user to create port from specific subnet on shared
+ network
Armando Migliaccio (armando-migliaccio)
Changed in neutron:
importance: Undecided → Wishlist
Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote : auto-abandon-script

This bug has had a related patch abandoned and has been automatically un-assigned due to inactivity. Please re-assign yourself if you are continuing work or adjust the state as appropriate if it is no longer valid.

Changed in neutron:
assignee: Reedip (reedip-banerjee) → nobody
status: In Progress → New
tags: added: timeout-abandon
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (master)

Change abandoned by Armando Migliaccio (<email address hidden>) on branch: master
Review: https://review.openstack.org/432850
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: nobody → Reedip (reedip-banerjee)
status: New → In Progress
Miguel Lavalle (minsel)
Changed in neutron:
status: In Progress → Triaged
OpenStack Infra (hudson-openstack)
Changed in neutron:
status: Triaged → In Progress
Reedip (reedip-banerjee-deactivatedaccount)
Changed in neutron:
status: In Progress → Triaged
OpenStack Infra (hudson-openstack)
Changed in neutron:
status: Triaged → In Progress
Reedip (reedip-banerjee-deactivatedaccount)
Changed in neutron:
status: In Progress → Confirmed
status: Confirmed → Triaged
Revision history for this message
Miguel Lavalle (minsel) wrote :

This RFE was approved only to allow selection of a subnet-id, not specific fixed ip, by tenants who don't own the network

tags: added: rfe-approved
removed: rfe timeout-abandon
OpenStack Infra (hudson-openstack)
Changed in neutron:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/432850
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=8236e83deced9af84ae0e5128c76acfa753093cc
Submitter: Zuul
Branch: master

commit 8236e83deced9af84ae0e5128c76acfa753093cc
Author: Reedip <email address hidden>
Date: Mon Feb 13 00:38:54 2017 -0500

    Allow port create/update by shared nw owners

    Currently if a new port is created by a tenant with whom
    the network is shared (tenant is not the owner but has
    network shared via RBAC) , the port is allocated on the default
    subnet. This patch allows the tenant to create/update a port on
    any subnet which is actually a part of a shared network, owned by
    another tenant.
    Tempest test in [1]

    [1]: https://review.openstack.org/521413
    Change-Id: I1046f6b13e68b1e274cc8f62f5b30aa5f8d71cdc
    Closes-Bug: #1543756

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 12.0.0.0b3

This issue was fixed in the openstack/neutron 12.0.0.0b3 development milestone.

Akihiro Motoki (amotoki)
Changed in neutron:
milestone: none → queens-3
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.