[RBAC] User is not allowed to create port with fixed IP on shared network via RBAC
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Medium
|
Slawek Kaplonski |
Bug Description
1. Create tenant1 with user1 and tenant2 with user 2, assign testrole to both
2, Change the default policy.json to allow creation of ports with fixed IP address in a shared network:
78c78
< "create_
---
> "create_
3. As user1 create a network and share it via RBAC to tenant2:
user1 (overcloud) [stack@undercloud-0 ~]$ openstack network create rbacnet1
| Field | Value |
| admin_state_up | UP |
| availability_
| availability_zones | |
| created_at | 2019-06-
| description | |
| dns_domain | None |
| id | 8961329b-
| ipv4_address_scope | None |
| ipv6_address_scope | None |
| is_default | False |
| is_vlan_transparent | None |
| mtu | 1450 |
| name | rbacnet1 |
| port_security_
| project_id | 4ff7e3db6d64429
| provider:
| provider:
| provider:
| qos_policy_id | None |
| revision_number | 2 |
| router:external | Internal |
| segments | None |
| shared | False |
| status | ACTIVE |
| subnets | |
| tags | |
| updated_at | 2019-06-
user1 (overcloud) [stack@undercloud-0 ~]$ openstack network list
| ID | Name | Subnets |
| 8961329b-
| d6540930-
user1 (overcloud) [stack@undercloud-0 ~]$ openstack network rbac create --type network --action access_as_shared --target-project ba08ccc271614bf
| Field | Value |
| action | access_as_shared |
| id | e377033b-
| name | None |
| object_id | 8961329b-
| object_type | network |
| project_id | 4ff7e3db6d64429
| target_project_id | ba08ccc271614bf
user1 (overcloud) [stack@undercloud-0 ~]$ openstack subnet create --network rbacnet1 --subnet-range 10.0.100.0/24 --dhcp rbacsubnet1
| Field | Value |
| allocation_pools | 10.0.100.
| cidr | 10.0.100.0/24 |
| created_at | 2019-06-
| description | |
| dns_nameservers | |
| enable_dhcp | True |
| gateway_ip | 10.0.100.1 |
| host_routes | |
| id | c00f565b-
| ip_version | 4 |
| ipv6_address_mode | None |
| ipv6_ra_mode | None |
| name | rbacsubnet1 |
| network_id | 8961329b-
| project_id | 4ff7e3db6d64429
| revision_number | 0 |
| segment_id | None |
| service_types | |
| subnetpool_id | None |
| tags | |
| updated_at | 2019-06-
4. As user2 try to create a port with a fixed IP
user2 (overcloud) [stack@undercloud-0 ~]$ . user2_rc
user2 (overcloud) [stack@undercloud-0 ~]$ openstack network list
| ID | Name | Subnets |
| 8961329b-
| d6540930-
user2 (overcloud) [stack@undercloud-0 ~]$ openstack network show rbacnet1 | grep shared
| shared | True |
user2 (overcloud) [stack@undercloud-0 ~]$ openstack port create portx10 --network rbacnet1 --fixed-ip subnet=
5. Creating the port without fixed IP works fine
user2 (overcloud) [stack@undercloud-0 ~]$ openstack port create portx11 --network rbacnet1
| Field | Value |
| admin_state_up | UP |
| allowed_
| binding_host_id | None |
| binding_profile | None |
| binding_vif_details | None |
| binding_vif_type | None |
| binding_vnic_type | normal |
| created_at | 2019-06-
| data_plane_status | None |
| description | |
| device_id | |
| device_owner | |
| dns_assignment | None |
| dns_domain | None |
| dns_name | None |
| extra_dhcp_opts | |
| fixed_ips | ip_address=
| id | 7fe12e20-
| mac_address | fa:16:3e:99:6e:6b |
| name | portx11 |
| network_id | 8961329b-
| port_security_
| project_id | ba08ccc271614bf
| qos_policy_id | None |
| revision_number | 2 |
| security_group_ids | 063f4f88-
| status | DOWN |
| tags | |
| trunk_details | None |
| updated_at | 2019-06-
Expected result is that the port with fixed IP should be created following the policy.
Even though rule:shared should be honored, the policy is intepreted within an admin context where the network looks like shared = False.
Description is similar to an older bug:
- https:/
Changed in neutron: | |
importance: | Undecided → Medium |
status: | New → Confirmed |
assignee: | nobody → Slawek Kaplonski (slaweq) |
Fix proposed to branch: master /review. opendev. org/666816
Review: https:/