Neutron with noauth authentication strategy needs fake 'project_id' in request body

"required_by_policy" in the API definition just means that this field is used in the policy evaluation.
The default policy rules (defined in the code) assume the auth strategy is keystone, so we cannot drop required_by_policy from the API definition.

If you would like to use "noauth" as the auth strategy, you need to customize the policy rules too so that the policy rules do not refer to project_id (i.e. tenant_id).

If you assume the default policy rules provided by neutron should work with auth_strategy=noauth, it is not our current target.

> Also, neutron does not support 'http_basic' auth_strategy atm which would be a good addition.

This is not related to this issue, but if you need it you should configure neutron API server via a web server like apache with mod_wsgi and the basic auth should be configured in the web server like apache. If you would like to discuss this more, please file a separate bug.

Per #1, this bug is almost marked as "Won't Fix", but I would like to wait for a response from the bug submitter.

Hi Akihiro,

Thanks for the quick response.

Are you suggesting that using a custom policy.json with something like below would bypass policy check for port resource 'tenant_id' attribute?

{"create_port:tenant_id": ""}

If no can you suggest where and how these policies can be configured or it would need code changes?

From my testing those kind of policies does not seem to help.

After a chat with Rabi, it turns out that this cannot be passed by a policy costomization like {"create_network": ""}. The neutron API assumes project_id/tenant_id is populated [1]. In case of noauth, nobody populates in the neutron API layer, so it seems that passing project_id is a (hidden) requirement when noauth strategy is used.

AFAIK noauth auth strategy is not tested well for years and there may be hidden assumptions/requirements when using noauth.

[1] https://github.com/openstack/neutron-lib/blob/master/neutron_lib/api/attributes.py#L266-L269

The original discussion happened in https://review.opendev.org/c/openstack/metalsmith/+/798240.
I am adding it just for reference so that we can understand the context/need more.

Hi folks.

As I said on the metalsmith patch is question, I don't believe that metalsmith is the right place for a permanent workaround. I think one of 3 things should happen:

1) If the Neutron team truly cares about the no-auth use case, please fix the issue. Asking API consumers to provide fake values to satisfy pointless validation is not a good API. This way it would benefit all no-auth consumers, not only metalsmith and TripleO.

2) If the fix it too complicated, I think the workaround with a fake project_id value should be done in Neutron proper. Again, that would benefit everyone and will allow the Neutron team to remove it transparently when/if the bug is properly fixed.

3) If the Neutron team does not care about the no-auth use case enough to do 1) or 2), please make it explicit, so that people don't try to use this mode.

Thanks!

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/799162

Reviewed: https://review.opendev.org/c/openstack/neutron/+/799162
Committed: https://opendev.org/openstack/neutron/commit/ec550f5f52c5377f57499eeadd7e0d665dcdb73d
Submitter: "Zuul (22348)"
Branch: master

commit ec550f5f52c5377f57499eeadd7e0d665dcdb73d
Author: ramishra <email address hidden>
Date: Fri Jul 2 11:07:22 2021 +0530

    Add fake_project_id middleware for noauth

    This adds a middleware for noauth that would inject a fake
    project_id for create requests. This would ensure that api
    consumers don't have to provide a fake project_id in requests.

    Closes-Bug: #1934039
    Change-Id: I5e1de571034be41f1147c130fce66e6cf70b1369

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/neutron/+/799891

Reviewed: https://review.opendev.org/c/openstack/neutron/+/799891
Committed: https://opendev.org/openstack/neutron/commit/c1390d86a0e1748b739544a6dc9b6aff070eeff7
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit c1390d86a0e1748b739544a6dc9b6aff070eeff7
Author: ramishra <email address hidden>
Date: Fri Jul 2 11:07:22 2021 +0530

    Add fake_project_id middleware for noauth

    This adds a middleware for noauth that would inject a fake
    project_id for create requests. This would ensure that api
    consumers don't have to provide a fake project_id in requests.

    Closes-Bug: #1934039
    Change-Id: I5e1de571034be41f1147c130fce66e6cf70b1369
    (cherry picked from commit ec550f5f52c5377f57499eeadd7e0d665dcdb73d)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/800410

This issue was fixed in the openstack/neutron 18.1.0 release.

This issue was fixed in the openstack/neutron 19.0.0.0rc1 release candidate.