neutron

Neutron doesn't respect advscv role while creating port

Bug #1796854 reported by Maciej Jozefczyk on 2018-10-09

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Medium	Maciej Jozefczyk

Bug Description

Neutron doesn't allow user with role 'advsvc' to add port in other user tenant network.
Introduced change:
https://review.openstack.org/#/c/101281/10
Should allow that, but in fact in neutron-lib there is no validation for advsvc role:
https://github.com/openstack/neutron-lib/blob/master/neutron_lib/api/attributes.py#L28

Error:
Specifying 'project_id' or 'tenant_id' other than the authenticated project in request requires admin privileges

----------------
Version
----------------
Devstack master.

----------------
How to reproduce
----------------

1. Setup devstack master, add new project and user to this project with role advsvc
source devstack/openrc admin demo

openstack project create advsvc-project
openstack user create --project advsvc-project --password test advsvc-project-user
openstack role create advsvc
openstack role add --user advsvc-project-user --project advsvc-project advsvc
openstack role add --user advsvc-project-user --project advsvc-project member

2. Create network in other project.
openstack project create test-project
openstack user create --project test-project --password test test-project-user
openstack role add --user test-project-user --project test-project member

neutron net-create private-net-test-user --provider:network_type=vxlan --provider:segmentation_id=1234 --project-id [[ test-project-id ]]

neutron subnet-create private-net-test-user --name private-subnet-test-user --allocation-pool start=10.13.12.100,end=10.13.12.130 10.13.12.0/24 --dns-nameserver 8.8.8.8 --project-id [[ test-project-id ]]

3. Create a port in test-project tenant by user with advsvc role:

stack@mjozefcz-devstack:~$ neutron port-create --tenant-id 865073224f7b4e9d9fdd4a446e3a4af4 private-net-test-user
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
Specifying 'project_id' or 'tenant_id' other than the authenticated project in request requires admin privileges
Neutron server returns request_ids: ['req-e841edb1-2cf2-47b6-a493-11a56114a323']

Tags:

Revision history for this message

Slawek Kaplonski (slaweq) wrote on 2018-10-10:

it looks like it should check if context.is_admin or context.is_advscv also in https://github.com/openstack/neutron-lib/blob/master/neutron_lib/api/attributes.py#L28

tags:	added: api
Changed in neutron:
status:	New → Confirmed
importance:	Undecided → Medium

Maciej Jozefczyk (maciejjozefczyk) on 2018-10-11

Changed in neutron:
assignee:	nobody → Maciej Jozefczyk (maciej.jozefczyk)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-11: Fix proposed to neutron-lib (master)

Fix proposed to branch: master
Review: https://review.openstack.org/609633

Changed in neutron:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-22: Fix merged to neutron-lib (master)

Reviewed: https://review.openstack.org/609633
Committed: https://git.openstack.org/cgit/openstack/neutron-lib/commit/?id=00147a7d700e6d0142161152137bbab0c39ce4c0
Submitter: Zuul
Branch: master

commit 00147a7d700e6d0142161152137bbab0c39ce4c0
Author: Maciej Józefczyk <email address hidden>
Date: Thu Oct 11 08:57:29 2018 +0000

Allow advsvc role to create port in foreign tenant

    Change [1] introduced support for advsvc role. This added
    possibility for user with role advsvc to make CRUD operations
    on ports, subnets and networks in foreign tenants.
    Due the check in _validate_privileges() it was not working.
    This patch fixes that.

Closes-Bug: #1796854

[1] https://review.openstack.org/#/c/101281

Change-Id: I6a3f91337bf8dd32012a75916e3409e30f46b50d