neutron

Control external network access with RBAC

Bug #1547985 reported by Kevin Benton on 2016-02-21

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Wishlist	Kevin Benton

Bug Description

There is currently no way to restrict the tenants that have access to an external network in Neutron. So there is currently no workflow to have a special set of floating IPs that only certain tenants can access. In order to support this, access to external networks should be controlled via the RBAC framework that was introduced to limit access to shared networks.

OpenStack Infra (hudson-openstack) on 2016-02-21

Changed in neutron:
status:	New → In Progress

Revision history for this message

Kevin Benton (kevinbenton) wrote on 2016-02-21:

Implementation is here: https://review.openstack.org/#/c/282295/

Changed in neutron:
status:	In Progress → New

Dariusz Smigiel (smigiel-dariusz) on 2016-02-23

Changed in neutron:
importance:	Undecided → Wishlist
status:	New → In Progress

Revision history for this message

Armando Migliaccio (armando-migliaccio) wrote on 2016-02-29:

Now that I think of it, this looks like a long tail of the RBAC feature.

tags:	added: rfe-approved removed: rfe
tags:	removed: rfe-approved

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-03-02: Fix merged to neutron (master)

Reviewed: https://review.openstack.org/282295
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=49b4dd3478d782aee4260033825aa6b47eaf644a
Submitter: Jenkins
Branch: master

commit 49b4dd3478d782aee4260033825aa6b47eaf644a
Author: Kevin Benton <email address hidden>
Date: Fri Feb 19 03:34:27 2016 -0800

Use network RBAC feature for external access

    This allows access to external networks to be controlled via the
    RBAC framework added during Liberty with a new 'access_as_external'
    action.

    A migration adds all current external networks to the RBAC policies
    table with a wildcard indicating that all tenants can access the network
    as RBAC.

    Unlike the conversion of shared networks to RBAC, the external table
    is left in the DB to avoid invasive changes throughout the codebase
    to calculate the flag relative to the caller. So the current 'external'
    flag is used throughout the code base as it previously was for wiring
    up floating IPs, router gateway ports, etc. Then the RBAC entries are
    only referenced when determining what networks to show the tenants.

    API Behavior:
     * Marking a network as 'external' will automatically create a wildcard
       entry that allows that network to be accessed by all tenants.
     * An external network may have all of its RBAC entries deleted and then
       only an admin will be able to attach to it.
     * An RBAC 'access_as_external' entry cannot be deleted if it is required
       for a tenant that currently has a router attached to that network.
     * Creating an 'access_as_external' RBAC entry will automatically convert
       the network into an external network. (This is to enable a workflow
       where a private external network is never visible to everyone.)
     * The default policy.json will prevent a non-admin from creating wildcard
       'access_as_external' RBAC entries to align with the current default policy
       we have on setting the 'external' field on the network to prevent poluting
       everyone else's network lists.
     * The default policy.json will allow a tenant to create an
       'access_as_external' RBAC entry to allow specific tenants
       (including itself) the ability to use its network as an external network.

    Closes-Bug: #1547985
    DocImpact: External networks can now have access restricted to small subsets
               of tenants
    APIImpact: 'access_as_external' will be allowed as an action in the RBAC
               API for networks
    Change-Id: I4d8ee78a9763c58884e4fd3d7b40133da659cd61

Reviewed:  https://review.openstack.org/282295
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=49b4dd3478d782aee4260033825aa6b47eaf644a
Submitter: Jenkins
Branch:    master

commit 49b4dd3478d782aee4260033825aa6b47eaf644a
Author: Kevin Benton <kevin@benton.pub>
Date:   Fri Feb 19 03:34:27 2016 -0800

Use network RBAC feature for external access
    
    This allows access to external networks to be controlled via the
    RBAC framework added during Liberty with a new 'access_as_external'
    action.
    
    A migration adds all current external networks to the RBAC policies
    table with a wildcard indicating that all tenants can access the network
    as RBAC.
    
    Unlike the conversion of shared networks to RBAC, the external table
    is left in the DB to avoid invasive changes throughout the codebase
    to calculate the flag relative to the caller. So the current 'external'
    flag is used throughout the code base as it previously was for wiring
    up floating IPs, router gateway ports, etc. Then the RBAC entries are
    only referenced when determining what networks to show the tenants.
    
    API Behavior:
     * Marking a network as 'external' will automatically create a wildcard
       entry that allows that network to be accessed by all tenants.
     * An external network may have all of its RBAC entries deleted and then
       only an admin will be able to attach to it.
     * An RBAC 'access_as_external' entry cannot be deleted if it is required
       for a tenant that currently has a router attached to that network.
     * Creating an 'access_as_external' RBAC entry will automatically convert
       the network into an external network. (This is to enable a workflow
       where a private external network is never visible to everyone.)
     * The default policy.json will prevent a non-admin from creating wildcard
       'access_as_external' RBAC entries to align with the current default policy
       we have on setting the 'external' field on the network to prevent poluting
       everyone else's network lists.
     * The default policy.json will allow a tenant to create an
       'access_as_external' RBAC entry to allow specific tenants
       (including itself) the ability to use its network as an external network.
    
    Closes-Bug: #1547985
    DocImpact: External networks can now have access restricted to small subsets
               of tenants
    APIImpact: 'access_as_external' will be allowed as an action in the RBAC
               API for networks
    Change-Id: I4d8ee78a9763c58884e4fd3d7b40133da659cd61

Changed in neutron:
status:	In Progress → Fix Released

Revision history for this message

Thierry Carrez (ttx) wrote on 2016-03-03: Fix included in openstack/neutron 8.0.0.0b3

This issue was fixed in the openstack/neutron 8.0.0.0b3 development milestone.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.