Neutron recently made a bunch of great progress evolving policy check strings to include default role support (admin, member, and reader) and system-scope [0]. Please reference keystone's default role and persona documentation for a primer on authroization patterns we're trying to apply to neutron [1]
Despite these improved policies, neutron needs some additional work to understand system scope.
I was able to use a system-reader persona (someone with the `reader` role assigned on the system) to list networks in neutron. But, the response didn't contain all networks. It only included public and shared networks.
╭─ubuntu@neutron-devstack ~
╰─➤ $ openstack --os-cloud system-reader network list
+--------------------------------------+--------+----------------------------------------------------------------------------+
| ID | Name | Subnets |
+--------------------------------------+--------+----------------------------------------------------------------------------+
| 293518cb-b280-4332-a1f0-e038c410f16a | shared | db50dc9d-e23c-473e-88e3-e3f1acfcc6d7 |
| 3eae4573-e569-428b-a1b2-cac15a53b0c1 | public | 6e744a36-6a02-45d9-95c0-72aec03e9615, d5dbacc8-5725-4918-b17f-b7fe5ceeca4c |
+--------------------------------------+--------+----------------------------------------------------------------------------+
╭─ubuntu@neutron-devstack ~
╰─➤ $ openstack --os-cloud devstack-system-admin network list
+--------------------------------------+---------+----------------------------------------------------------------------------+
| ID | Name | Subnets |
+--------------------------------------+---------+----------------------------------------------------------------------------+
| 293518cb-b280-4332-a1f0-e038c410f16a | shared | db50dc9d-e23c-473e-88e3-e3f1acfcc6d7 |
| 3eae4573-e569-428b-a1b2-cac15a53b0c1 | public | 6e744a36-6a02-45d9-95c0-72aec03e9615, d5dbacc8-5725-4918-b17f-b7fe5ceeca4c |
| 61238010-7f8f-4110-9957-8bd48bd18294 | private | 3864f24a-ff45-46dc-9703-e6a5cb9fc7ab, c1009fc6-0037-408f-8775-5993a73200fe |
+--------------------------------------+---------+----------------------------------------------------------------------------+
╭─ubuntu@neutron-devstack ~
╰─➤ $ openstack --os-cloud devstack-admin network list
+--------------------------------------+---------+----------------------------------------------------------------------------+
| ID | Name | Subnets |
+--------------------------------------+---------+----------------------------------------------------------------------------+
| 293518cb-b280-4332-a1f0-e038c410f16a | shared | db50dc9d-e23c-473e-88e3-e3f1acfcc6d7 |
| 3eae4573-e569-428b-a1b2-cac15a53b0c1 | public | 6e744a36-6a02-45d9-95c0-72aec03e9615, d5dbacc8-5725-4918-b17f-b7fe5ceeca4c |
| 61238010-7f8f-4110-9957-8bd48bd18294 | private | 3864f24a-ff45-46dc-9703-e6a5cb9fc7ab, c1009fc6-0037-408f-8775-5993a73200fe |
+--------------------------------------+---------+----------------------------------------------------------------------------+
I have the following options set in my neutron.conf:
Which should configure neutron to enforce scopes and new default policies allowing things like:
- system-admins to view all resources
- system-admins to create system-specific resources (public networks)
- system-readers to view all resources across projects and system-specific resources
- project-admins to view only networks available to their project
I started tracing through the neutron code and noticed it's building database queries using the request context object [2], which might leading to why system-readers can't view all networks in a deployment.
This bug is likely something that affects more that just network resources, but I haven't done an exhaustive investigation, yet.
Hoping to get some feedback from folks more familiar with Neutron so that we can plan a path forward for properly consuming system-scope.
Neutron recently made a bunch of great progress evolving policy check strings to include default role support (admin, member, and reader) and system-scope [0]. Please reference keystone's default role and persona documentation for a primer on authroization patterns we're trying to apply to neutron [1]
Despite these improved policies, neutron needs some additional work to understand system scope.
I was able to use a system-reader persona (someone with the `reader` role assigned on the system) to list networks in neutron. But, the response didn't contain all networks. It only included public and shared networks.
╭─ubuntu@ neutron- devstack ~ ------- ------- ------- ------- ----+-- ------+ ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------+ ------- ------- ------- ------- ----+-- ------+ ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------+ b280-4332- a1f0-e038c410f1 6a | shared | db50dc9d- e23c-473e- 88e3-e3f1acfcc6 d7 | e569-428b- a1b2-cac15a53b0 c1 | public | 6e744a36- 6a02-45d9- 95c0-72aec03e96 15, d5dbacc8- 5725-4918- b17f-b7fe5ceeca 4c | ------- ------- ------- ------- ----+-- ------+ ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------+ neutron- devstack ~ system- admin network list ------- ------- ------- ------- ----+-- ------- +------ ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- + ------- ------- ------- ------- ----+-- ------- +------ ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- + b280-4332- a1f0-e038c410f1 6a | shared | db50dc9d- e23c-473e- 88e3-e3f1acfcc6 d7 | e569-428b- a1b2-cac15a53b0 c1 | public | 6e744a36- 6a02-45d9- 95c0-72aec03e96 15, d5dbacc8- 5725-4918- b17f-b7fe5ceeca 4c | 7f8f-4110- 9957-8bd48bd182 94 | private | 3864f24a- ff45-46dc- 9703-e6a5cb9fc7 ab, c1009fc6- 0037-408f- 8775-5993a73200 fe | ------- ------- ------- ------- ----+-- ------- +------ ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- + neutron- devstack ~ ------- ------- ------- ------- ----+-- ------- +------ ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- + ------- ------- ------- ------- ----+-- ------- +------ ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- + b280-4332- a1f0-e038c410f1 6a | shared | db50dc9d- e23c-473e- 88e3-e3f1acfcc6 d7 | e569-428b- a1b2-cac15a53b0 c1 | public | 6e744a36- 6a02-45d9- 95c0-72aec03e96 15, d5dbacc8- 5725-4918- b17f-b7fe5ceeca 4c | 7f8f-4110- 9957-8bd48bd182 94 | private | 3864f24a- ff45-46dc- 9703-e6a5cb9fc7 ab, c1009fc6- 0037-408f- 8775-5993a73200 fe | ------- ------- ------- ------- ----+-- ------- +------ ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- +
╰─➤ $ openstack --os-cloud system-reader network list
+------
| ID | Name | Subnets |
+------
| 293518cb-
| 3eae4573-
+------
╭─ubuntu@
╰─➤ $ openstack --os-cloud devstack-
+------
| ID | Name | Subnets |
+------
| 293518cb-
| 3eae4573-
| 61238010-
+------
╭─ubuntu@
╰─➤ $ openstack --os-cloud devstack-admin network list
+------
| ID | Name | Subnets |
+------
| 293518cb-
| 3eae4573-
| 61238010-
+------
I have the following options set in my neutron.conf:
[oslo_policy] new_defaults = True policy. json
enforce_
enforce_scope = True
policy_file = /etc/neutron/
Which should configure neutron to enforce scopes and new default policies allowing things like:
- system-admins to view all resources
- system-admins to create system-specific resources (public networks)
- system-readers to view all resources across projects and system-specific resources
- project-admins to view only networks available to their project
I started tracing through the neutron code and noticed it's building database queries using the request context object [2], which might leading to why system-readers can't view all networks in a deployment.
This bug is likely something that affects more that just network resources, but I haven't done an exhaustive investigation, yet.
Hoping to get some feedback from folks more familiar with Neutron so that we can plan a path forward for properly consuming system-scope.
[0] https:/ /review. opendev. org/q/project: openstack/ neutron+ status: merged+ topic:secure- rbac /docs.openstack .org/keystone/ latest/ admin/service- api-protection. html /opendev. org/openstack/ neutron- lib/src/ commit/ 02e070fe099651a d5abea87819c7d3 e729885130/ neutron_ lib/db/ utils.py
[1] https:/
[2] https:/