Neutron doesn't respect advscv role while creating port
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Medium
|
Maciej Jozefczyk |
Bug Description
Neutron doesn't allow user with role 'advsvc' to add port in other user tenant network.
Introduced change:
https:/
Should allow that, but in fact in neutron-lib there is no validation for advsvc role:
https:/
Error:
Specifying 'project_id' or 'tenant_id' other than the authenticated project in request requires admin privileges
----------------
Version
----------------
Devstack master.
----------------
How to reproduce
----------------
1. Setup devstack master, add new project and user to this project with role advsvc
source devstack/openrc admin demo
openstack project create advsvc-project
openstack user create --project advsvc-project --password test advsvc-project-user
openstack role create advsvc
openstack role add --user advsvc-project-user --project advsvc-project advsvc
openstack role add --user advsvc-project-user --project advsvc-project member
2. Create network in other project.
openstack project create test-project
openstack user create --project test-project --password test test-project-user
openstack role add --user test-project-user --project test-project member
neutron net-create private-
neutron subnet-create private-
3. Create a port in test-project tenant by user with advsvc role:
stack@mjozefcz-
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
Specifying 'project_id' or 'tenant_id' other than the authenticated project in request requires admin privileges
Neutron server returns request_ids: ['req-e841edb1-
Changed in neutron: | |
assignee: | nobody → Maciej Jozefczyk (maciej.jozefczyk) |
it looks like it should check if context.is_admin or context.is_advscv also in https:/ /github. com/openstack/ neutron- lib/blob/ master/ neutron_ lib/api/ attributes. py#L28