neutron

[RFE] Domain-defined RBAC

Bug #1649909 reported by kourosh vivan
24
This bug affects 4 people
Affects Status Importance Assigned to Milestone
neutron
In Progress
Wishlist
kourosh vivan

Bug Description

Hi,

I want to make an external network visible at a keystone domain-wide scope; I try this:

openstack network rbac create --target-project-domain DOMAIN_ID --action access_as_external --type network NETWORK_ID --target-project '*'
CommandError: No project with a name or ID of '*' exists.

Because it use this call to retrieve project:
http://controller.admin:35357/v3/projects?domain_id=DOMAIN_ID&name=%2A

RBAC specifications only use domain during rbac creation, domain isn't store in db:

MariaDB [neutron]> desc networkrbacs;
+---------------+--------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+---------------+--------------+------+-----+---------+-------+
| id | varchar(36) | NO | PRI | NULL | |
| object_id | varchar(36) | NO | MUL | NULL | |
| project_id | varchar(255) | YES | MUL | NULL | |
| target_tenant | varchar(255) | NO | | NULL | |
| action | varchar(255) | NO | MUL | NULL | |
+---------------+--------------+------+-----+---------+-------+

Two questions:
1 Is it possible to create an rbac for all projects using CLI ?
2 Is it planned to use target-project-domain not only at rbac creation but also for filtering target projects ?

Thanks,

Revision history for this message
Miguel Lavalle (minsel) wrote :

@Kourosh,

Isn't this the same as setting the network's attribute 'shared' as True. Please see the section titled "How the ‘shared’ flag relates to these entries" in this on-line document: http://docs.openstack.org/draft/networking-guide/config-rbac.html

Miguel Lavalle (minsel)
Changed in neutron:
status: New → Invalid
status: Invalid → Incomplete
Revision history for this message
Miguel Lavalle (minsel) wrote :

Since this is a questions rather than a bug report, I am flagging it as invalid

Changed in neutron:
status: Incomplete → Invalid
Revision history for this message
kourosh vivan (kourosh-vivan) wrote :

@Miguel,

No, use shared or external allow all project to use the ressource whithout considering their domain_id.

I need to limit an RBAC to a domain_id not only a project_id.

kourosh vivan (kourosh-vivan)
Changed in neutron:
status: Invalid → New
Revision history for this message
kourosh vivan (kourosh-vivan) wrote :

I update the status to new again because I add some informations, this ticket is not a simple question. I see that RBAC are made to filter network share to specific tenant but it doesn't consider domain (see database schema above).

Domain can be used in CLI but it is only used to filter tenants on RBAC creation (see the API call during RBAC creation above).

Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

kevinbenton should be able to triage this further.

tags: added: rba
tags: added: access-control
removed: rba
Changed in neutron:
assignee: nobody → Kevin Benton (kevinbenton)
Revision history for this message
Kevin Benton (kevinbenton) wrote :

This is definitely an RFE.

Can a project's domain ever change? If not, this should be a reasonable feature to implement.

Armando Migliaccio (armando-migliaccio)
Changed in neutron:
importance: Undecided → Wishlist
tags: added: rfe
Changed in neutron:
assignee: Kevin Benton (kevinbenton) → nobody
status: New → Confirmed
Revision history for this message
songminglong (songminglong) wrote :

I think this is not a bug at all, you can just set property 'shared = true' of network

Revision history for this message
kourosh vivan (kourosh-vivan) wrote :

Hi, this is not a bug, this is a request to change. Current architecture doesn't allow to share a network to a specific domain.

If I use "shared = true", all project from all domain are affected. But I have a use case where I have to share a network to all project belonging to domain A only.

Armando Migliaccio (armando-migliaccio)
summary: - Domain-defined RBAC
+ [RFE] Domain-defined RBAC
Revision history for this message
kourosh vivan (kourosh-vivan) wrote :

@kevinbenton

About the ability to change the domain of an existing projet, keystone API V3's ref mention this:

"The ability to change the domain of a project is now deprecated, and will be removed in subequent release. It is already disabled by default in most Identity service implementations."

source: https://developer.openstack.org/api-ref/identity/v3/index.html?expanded=update-project-detail

Armando Migliaccio (armando-migliaccio)
Changed in neutron:
status: Confirmed → Triaged
Revision history for this message
Akihiro Motoki (amotoki) wrote :

I agree that this is a reasonable request.

We are making a change to include domain information to neutron context object and RBAC mechanism can refer to it.

> Can a project's domain ever change? If not, this should be a reasonable feature to implement.
Agree. if a project domain is changed after a port is created, the situation would be complicated.

Ihar Hrachyshka (ihar-hrachyshka)
Changed in neutron:
status: Triaged → In Progress
tags: added: rfe-approved
removed: rfe
Ihar Hrachyshka (ihar-hrachyshka)
Changed in neutron:
status: In Progress → Triaged
Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

@kourosh: are you open to working on addressing this gap as you identified? If so, I think a spec would be a useful way to document how we expect this work from end to end. If not, then we'd need to find volunteers.

Revision history for this message
kourosh vivan (kourosh-vivan) wrote :

@armando Yes, i am able to make a spec about it.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-specs (master)

Fix proposed to branch: master
Review: https://review.openstack.org/452677

Changed in neutron:
assignee: nobody → kourosh vivan (kourosh-vivan)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/452680

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron-specs (master)

Change abandoned by kourosh vivan (<email address hidden>) on branch: master
Review: https://review.openstack.org/452680
Reason: duplicate of https://review.openstack.org/452677

OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: kourosh vivan (kourosh-vivan) → Aurelien Joga (aurelienjoga)
OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: Aurelien Joga (aurelienjoga) → kourosh vivan (kourosh-vivan)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-specs (master)

Fix proposed to branch: master
Review: https://review.openstack.org/466711

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron-specs (master)

Change abandoned by kourosh vivan (<email address hidden>) on branch: master
Review: https://review.openstack.org/466711
Reason: Duplicate of I13d5fa308a99c7e0009f26dc582d601965db509a

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Change abandoned by kourosh vivan (<email address hidden>) on branch: master
Review: https://review.openstack.org/452677
Reason: Abandon because this feature will be handle has a fix. Current middelware doesn't populate context with full project hierarchy (all project parent + domain). When this will be done, fix must be made to neutron:
1 Fix project argument/paremeter validation for API and CLI to allow domain (because domain must be deal like a special project (keystone logic))
2 Fix filtering to check updated context (with all parent project if exist and domain)
3 Update doc

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.