Floating IP attach/detach fails for non-admin user and unbound port with router in different tenant
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Medium
|
Brian Haley |
Bug Description
Seeing this on pike, but code looks same in master so issue still likely exists.
We have a shared external network connected to router in TenantA. Now create a network, either shared in tenantA or owned by tenantB, and attach to tenantA's router (an admin user will have to do this).
Now suppose a non-admin user in the different tenantB creates a Floating IP on shared ext network. They then try to attach it to a port. It passes if the port is bound to a VM. It fails if the port is unbound. For example, pre-create a port on a network/subnet available to this tenant, and then try the following /floatingips/ PUT API call. It will fail. Then bring up a VM on same network, and attach Floating IP to it's port, this will pass:
curl -k -X PUT -i https:/
HTTP/1.1 404 Not Found
Server: nginx/1.12.2
Date: Tue, 06 Nov 2018 07:31:54 GMT
Content-Type: application/json
Content-Length: 135
Connection: keep-alive
X-Openstack-
Access-
{"NeutronError": {"message": "Router b819cfbb-
curl -k -X PUT -i https:/
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Tue, 06 Nov 2018 07:15:10 GMT
Content-Type: application/json
Content-Length: 584
Connection: keep-alive
X-Openstack-
Access-
Access-
{"floatingip": {"router_id": "b819cfbb-
Problem is due to new code which allows binding FIP to unbound ports via SNAT router, from this diff: https:/
An additional get_router() call is made here, and it needs the elevated admin context to be passed in. It fails because default policy for get_router is admin_or_owner, and it can't fetch the SNAT router in different tenant. This code path is not hit for a VM port, as it is bound and has a host:
https:/
which invokes get_router() here:
https:/
Need to pass in context.elevated() in either one of those 2 places - thinking the first location might be better?
Changed in neutron: | |
assignee: | Arjun Baindur (abaindur) → Brian Haley (brian-haley) |
I have verified that changing "context" to "context. elevated( )" at https:/ /github. com/openstack/ neutron/ blob/master/ neutron/ db/l3_dvr_ db.py#L1098 fixes the issue, at least for the API example I gave above