neutron

Port creation on shared network fails with port_security defined

Bug #2030747 reported by Roman on 2023-08-08

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Invalid	Medium	Rodolfo Alonso

Bug Description

OpenStack deployment: kolla-ansible 2023.1
Neutron version is reported as

ubuntu@os:~$ docker exec neutron_server neutron --version
neutron CLI is deprecated and will be removed in the Z cycle. Use openstack CLI instead.
9.0.0

When user tries to create port on shared network, operation fails when option
[--enable-port-security | --disable-port-security]
is specified. If not, port created successfully with port_security_enabled = True

ubuntu@os:~$ openstack port create --network 30e7e427-c5f7-46b2-b04d-3ebccff5c532 --fixed-ip subnet=cf062558-3c32-48c3-96d1-dcaebad3ee71 --project 71558625372d467c85061759fd2e6bf8 --enable-port-security myport-01
ForbiddenException: 403: Client Error for url: https://os-api:9696/v2.0/ports, ((rule:create_port and (rule:create_port:fixed_ips and (rule:create_port:fixed_ips:subnet_id))) and rule:create_port:port_security_enabled) is disallowed by policy
ubuntu@os:~$ openstack port create --network 30e7e427-c5f7-46b2-b04d-3ebccff5c532 --fixed-ip subnet=cf062558-3c32-48c3-96d1-dcaebad3ee71 --project 71558625372d467c85061759fd2e6bf8 --disable-port-security myport-01
ForbiddenException: 403: Client Error for url: https://os-api:9696/v2.0/ports, ((rule:create_port and (rule:create_port:fixed_ips and (rule:create_port:fixed_ips:subnet_id))) and rule:create_port:port_security_enabled) is disallowed by policy
ubuntu@os:~$ openstack port create --network 30e7e427-c5f7-46b2-b04d-3ebccff5c532 --fixed-ip subnet=cf062558-3c32-48c3-96d1-dcaebad3ee71 --project 71558625372d467c85061759fd2e6bf8 myport-01
+-------------------------+--------------------------------------------------------------------------------+
| Field | Value |
+-------------------------+--------------------------------------------------------------------------------+
| admin_state_up | UP |
| allowed_address_pairs | |
| binding_host_id | None |
| binding_profile | None |
| binding_vif_details | None |
| binding_vif_type | None |
| binding_vnic_type | normal |
| created_at | 2023-08-08T11:56:10Z |
| data_plane_status | None |
| description | |
| device_id | |
| device_owner | |
| device_profile | None |
| dns_assignment | None |
| dns_domain | None |
| dns_name | None |
| extra_dhcp_opts | |
| fixed_ips | ip_address='100.100.100.100', subnet_id='cf062558-3c32-48c3-96d1-dcaebad3ee71' |
| id | 19ba7a13-4f83-4b9f-81d1-2a2571758ef7 |
| ip_allocation | None |
| mac_address | fa:16:3e:32:64:43 |
| name | myport-01 |
| network_id | 30e7e427-c5f7-46b2-b04d-3ebccff5c532 |
| numa_affinity_policy | None |
| port_security_enabled | True |
| project_id | 71558625372d467c85061759fd2e6bf8 |
| propagate_uplink_status | None |
| qos_network_policy_id | 4898087a-930f-4cc8-ac8d-f464b81c2df1 |
| qos_policy_id | None |
| resource_request | None |
| revision_number | 1 |
| security_group_ids | da5cef69-0aa6-4dbf-ba5f-a57e68fadc3a |
| status | DOWN |
| tags | |
| trunk_details | None |
| updated_at | 2023-08-08T11:56:10Z |
+-------------------------+--------------------------------------------------------------------------------+

Rodolfo Alonso (rodolfo-alonso-hernandez) on 2023-08-15

Changed in neutron:
importance:	Undecided → Medium

Rodolfo Alonso (rodolfo-alonso-hernandez) on 2023-08-15

Changed in neutron:
assignee:	nobody → Rodolfo Alonso (rodolfo-alonso-hernandez)

Revision history for this message

Rodolfo Alonso (rodolfo-alonso-hernandez) wrote on 2023-09-07:

#1

Hello Roman:

This is the default security policy for non-admin users. By default, a non-admin user cannot create a port defining the flags "--disable-port-security" or "--enable-port-security". A non-admin user must create a port with "--enable-port-security" implicitly defined.

To avoid this default rule, you can change your Neutron policy file, adding a rule similar to the "create_port" one:
"create_port:port_security_enabled": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

Take in mind that this is a potential security issue because you are allowing non-admin users to create ports without any security.

I'm closing this bug.

Regards.

Changed in neutron:
status:	New → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.