neutron

external_gateway_info enable_snat attribute should be owner-modifiable

Bug #1793207 reported by Brian Haley
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Won't Fix
Low
Brian Haley

Bug Description

Currently, policy.json restricts who can change the 'enable_snat' setting of a router. For example:

stack@18-04:~/devstack$ openstack router show -c external_gateway_info router1
+-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| external_gateway_info | {"network_id": "91bdb30f-9be8-45ac-a313-bb33a99e92dc", "enable_snat": true, "external_fixed_ips": [{"subnet_id": "e9b318e1-01af-49a1-90bc-ffe949a42e05", "ip_address": "172.24.4.3"}, {"subnet_id": "73f36385-d58a-4b74-9262-bcb603e73aee", "ip_address": "2001:db8::6"}]} |
+-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
stack@18-04:~/devstack$ openstack router set --disable-snat --external-gateway 91bdb30f-9be8-45ac-a313-bb33a99e92dc router1
HttpException: 403: Client Error for url: http://10.18.57.23:9696/v2.0/routers/783d4563-c4d4-417c-a5de-eb7668373f63, {"NeutronError": {"message": "(rule:update_router and (rule:update_router:external_gateway_info and (rule:update_router:external_gateway_info:network_id and rule:update_router:external_gateway_info:enable_snat))) is disallowed by policy", "type": "PolicyNotAuthorized", "detail": ""}}

I'm not sure there's a good reason the owner can't modify this, and looking back through the blueprints there was only a mention of it - "for instance a provider might want to restrict enable_snat to admin only users" - so it seems it was intended for the owner originally with the caveat that the admin could restrict if necessary.

This fix would be as simple as updating these two entries:

"create_router:external_gateway_info:enable_snat": "rule:admin_only"
"update_router:external_gateway_info:enable_snat": "rule:admin_only"

to have:

"rule:admin_or_owner"

Perhaps there's something I'm missing, so will need to discuss with others to see if this should change.

Tags: l3-ipam-dhcp
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/603485

Changed in neutron:
status: Confirmed → In Progress
Revision history for this message
Miguel Lavalle (minsel) wrote :

Hi Brian,

Looking at the git log, I can see that Salvatore and Akihiro were involved in defining the policy in its current form: https://review.openstack.org/#/c/29014/. I sent them an email, copying you, asking for their input

Revision history for this message
Akihiro Motoki (amotoki) wrote :

Sorry for super late.

From my old memory on the discussion on enable_snat is as below.

In order to make enable_snat=False work, an external network and a tenant network need to be reachable. This means it needs to be coordinated by a cloud admin. Tenants cannot decide IP range for their self-service subnets. From this observation, we decided to make enable_snat available only to admin.

The concept of address scope was introduced after that. IMHO the enable_snat attribute should be superseded by the address scope and the attribute should be dropped in the future because the address scope concept can handle two networks are routeable or not. If a tenant network is not routable to an external network it means enable_snat = True and we can determine it by comparing address scopes of two networks.

Thought?

Revision history for this message
Brian Haley (brian-haley) wrote :

Was just going through old bugs and patches and noticed this one, updating based on information I received.

From Salvatore:

"My recollection is the same as Akihiro. A tenant has no knowledge of IP addressing beyond the resource it owns, and since a no-snat configuration implies E-W L3 forwarding an “admin” entity should be required to set this attribute. Another reason making this capability self-service was breaking some use cases (more specifically an IPv6 only cloud service that never did NAT, I think you remember them😉 ). On the other hand the main driver were other operators complaining that in their environment they really did not need NAT whereas the reference implementation was SNATting by default. So limiting the capability to admins was also one of the many compromises we did back in the heyday of Neutron…"

So having this an admin-controlled setting is mandatory.

Changed in neutron:
status: In Progress → Won't Fix
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (master)

Change abandoned by Brian Haley (<email address hidden>) on branch: master
Review: https://review.opendev.org/603485
Reason: It was intentional to make this admin-only, see the bug for more information.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.