neutron

Policy rule rule:create_port:fixed_ips:subnet_id doesn't allow non-admin to create port on specific subnet

Bug #1801779 reported by Jim Rollenhagen
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Expired
Undecided
Unassigned

Bug Description

Running roughly master branch. According to pip, neutron==13.0.0.0rc2.dev324. I know that isn't super helpful from a dev perspective, but this is a kolla image and I don't have a great way to map this back to a SHA.

Trying to create a port on a specific subnet on a shared network. I have the following policy rules, which seem to imply I should be able to do this:

    "create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
    "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
    "create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",

Client logs here: https://gist.github.com/jimrollenhagen/82514bee47ad66e1e878c56d8fd66453

Not much showing up in neutron-server.log, but can provide more info if needed.

See original description
Jim Rollenhagen (jim-rollenhagen)
description: updated
YAMAMOTO Takashi (yamamoto)
tags: added: access-control
Revision history for this message
YAMAMOTO Takashi (yamamoto) wrote :

a few questions:

can you create a port if you don't specify subnet_id?

do you mean https://review.openstack.org/#/c/432850/ is not working well?

Changed in neutron:
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for neutron because there has been no activity for 60 days.]

Changed in neutron:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.