Cannot set --no-share on shared network covered also by "access_as_shared" RBAC policy
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Medium
|
Slawek Kaplonski |
Bug Description
There is no possibility to set network as not shared if it was also shared via RBAC policy for some specific tenant.
How to reproduce bug:
1. Create 2 projects (tenants): tenantA and tenantB
2. TenantA creates an external network (ext_net_A) + subnet
3. For the external network neutron automatically creates a wildcard 'access_
4. TenantA can create a new port on ext_net_A; TenantB is not allowed to do the same
5. Create a new 'access_as_shared' RBAC rule granting TenantB access to ext_net_A
6. TenantB is now able to create a port on ext_net_A
7. TenantA sets the shared flag to True on ext_net_A (openstack network set --share <net ID>), which creates a new wildcard 'access_as_shared' RBAC rule
8. TenantA tries to unshare ext_net_A (openstack network set --no-share <net ID>), which fails with: HttpException: Conflict
There were no ports added or any other changes made to ext_net_A between sharing and unsharing it.
Neutron should be able to unshare the network since the only tenant using it (tenantB) is already covered by a specific RBAC rule created in step 5.
tags: | added: access-control |
Fix proposed to branch: master /review. openstack. org/561589
Review: https:/