Port creation on shared network fails with port_security defined
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Invalid
|
Medium
|
Rodolfo Alonso |
Bug Description
OpenStack deployment: kolla-ansible 2023.1
Neutron version is reported as
ubuntu@os:~$ docker exec neutron_server neutron --version
neutron CLI is deprecated and will be removed in the Z cycle. Use openstack CLI instead.
9.0.0
When user tries to create port on shared network, operation fails when option
[--enable-
is specified. If not, port created successfully with port_security_
ubuntu@os:~$ openstack port create --network 30e7e427-
ForbiddenException: 403: Client Error for url: https:/
ubuntu@os:~$ openstack port create --network 30e7e427-
ForbiddenException: 403: Client Error for url: https:/
ubuntu@os:~$ openstack port create --network 30e7e427-
+------
| Field | Value |
+------
| admin_state_up | UP |
| allowed_
| binding_host_id | None |
| binding_profile | None |
| binding_vif_details | None |
| binding_vif_type | None |
| binding_vnic_type | normal |
| created_at | 2023-08-
| data_plane_status | None |
| description | |
| device_id | |
| device_owner | |
| device_profile | None |
| dns_assignment | None |
| dns_domain | None |
| dns_name | None |
| extra_dhcp_opts | |
| fixed_ips | ip_address=
| id | 19ba7a13-
| ip_allocation | None |
| mac_address | fa:16:3e:32:64:43 |
| name | myport-01 |
| network_id | 30e7e427-
| numa_affinity_
| port_security_
| project_id | 71558625372d467
| propagate_
| qos_network_
| qos_policy_id | None |
| resource_request | None |
| revision_number | 1 |
| security_group_ids | da5cef69-
| status | DOWN |
| tags | |
| trunk_details | None |
| updated_at | 2023-08-
+------
Changed in neutron: | |
importance: | Undecided → Medium |
Changed in neutron: | |
assignee: | nobody → Rodolfo Alonso (rodolfo-alonso-hernandez) |
Hello Roman:
This is the default security policy for non-admin users. By default, a non-admin user cannot create a port defining the flags "--disable- port-security" or "--enable- port-security" . A non-admin user must create a port with "--enable- port-security" implicitly defined.
To avoid this default rule, you can change your Neutron policy file, adding a rule similar to the "create_port" one: port:port_ security_ enabled" : "(rule:admin_only) or (role:member and project_ id:%(project_ id)s)"
"create_
Take in mind that this is a potential security issue because you are allowing non-admin users to create ports without any security.
I'm closing this bug.
Regards.