[RFE] RBAC: Allow user to create port from specific subnet on shared network
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Wishlist
|
Unassigned |
Bug Description
The network demo-net, owned by user demo, is shared with tenant demo-2. The sharing is created by demo using the command
neutron rbac-create --type network --action access_as_shared --target-tenant <demo-2-tenant-id> demo-net
A user on the demo-2 tenant is can see the network demo-net:
stack@Ubuntu-
+------
| id | name | subnets |
+------
| 85bb7612-
| | | ff01f7ca-
| 5beb4080-
| | | 38d1ddad-
+------
The owner of network demo-net is able to create a port using the command 'neutron port-create demo-net --fixed-ip ... :
stack@Ubuntu-
Created a new port:
+------
| Field | Value |
+------
| admin_state_up | True |
| allowed_
| binding:vnic_type | normal |
| device_id | |
| device_owner | |
| dns_name | |
| fixed_ips | {"subnet_id": "ff01f7ca-
| id | 37402f22-
| mac_address | fa:16:3e:44:71:ad |
| name | |
| network_id | 85bb7612-
| security_groups | 7db11aa0-
| status | DOWN |
| tenant_id | 54913ee1ca89458
+------
The user demo-2 of tenant demo-2 is able to create a port using the network demo-net:
stack@Ubuntu-
Created a new port:
+------
| Field | Value |
+------
| admin_state_up | True |
| allowed_
| binding:vnic_type | normal |
| device_id | |
| device_owner | |
| dns_name | |
| fixed_ips | {"subnet_id": "ff01f7ca-
| id | bab87cc9-
| mac_address | fa:16:3e:c6:93:e5 |
| name | |
| network_id | 85bb7612-
| security_groups | 465c1c6f-
| status | DOWN |
| tenant_id | 3dd36d3f9949445
+------
If the same user wants to create a port on demo-net using with a fixed IP on the 10.1.2.0/24 subnet. The port creation failed:
stack@Ubuntu-
(rule:create_port and rule:create_
stack@Ubuntu-
The rbac rule for sharing of network demo-net with tenant "demo-2" is:
stack@Ubuntu-
+------
| Field | Value |
+------
| action | access_as_shared |
| id | ea979774-
| object_id | 85bb7612-
| object_type | network |
| target_tenant | 3dd36d3f9949445
| tenant_id | 54913ee1ca89458
+------
summary: |
- BAC: Port creation on a shared network failed if --fixed-ip is specified + RBAC: Port creation on a shared network failed if --fixed-ip is + specified |
summary: |
RBAC: Port creation on a shared network failed if --fixed-ip is - specified + specified in 'neutron port-create' command |
Changed in neutron: | |
assignee: | nobody → Reedip (reedip-banerjee) |
tags: | added: rfe |
summary: |
- RBAC: Port creation on a shared network failed if --fixed-ip is + [RFE] RBAC: Port creation on a shared network failed if --fixed-ip is specified in 'neutron port-create' command |
summary: |
- [RFE] RBAC: Port creation on a shared network failed if --fixed-ip is - specified in 'neutron port-create' command + [RFE] RBAC: Allow user to create port from specific subnet on shared + network |
Changed in neutron: | |
importance: | Undecided → Wishlist |
Changed in neutron: | |
assignee: | nobody → Reedip (reedip-banerjee) |
status: | New → In Progress |
Changed in neutron: | |
status: | In Progress → Triaged |
Changed in neutron: | |
status: | Triaged → In Progress |
Changed in neutron: | |
status: | In Progress → Triaged |
Changed in neutron: | |
status: | Triaged → In Progress |
Changed in neutron: | |
status: | In Progress → Confirmed |
status: | Confirmed → Triaged |
Changed in neutron: | |
status: | Triaged → In Progress |
Changed in neutron: | |
milestone: | none → queens-3 |
We can't let people that don't own the network select their own fixed IP. Using the fixed IP field, someone can pick addresses outside of the allocation pool so it's restricted to an owner-only operation.
It might be worth discussion if we should allow them to select a subnet_id but not a specific IP. Maybe change this to an RFE because it's going to be a policy change that we need to carefully consider.