Policy: binding operations are prohibited for service role

Hi Bartosz,

Yes, by default this is prohibited. However oslo.policy based policies are configurable.

For example, in my devstack I don't have ironic deployed, but I reproduced the problem using the unprivileged 'demo' user:

$ source openrc demo demo
$ openstack network create net0
$ openstack subnet create --network net0 --subnet-range 10.0.0.0/24 subnet0
$ openstack port create --network net0 port0
$ openstack port set --host devstack0 port0
ForbiddenException: 403: Client Error for url: http://192.168.122.225:9696/networking/v2.0/ports/4d6fa1c1-bbb0-4298-a901-c3dec7f1b1f1, (rule:update_port and rule:update_port:binding:host_id) is disallowed by policy

While in q-svc logs I had this:

febr 13 14:03:42 devstack0 neutron-server[5814]: DEBUG neutron.policy [None req-9fa226e6-2ae5-4abe-9b70-efc749ef4913 None demo] Enforcing rules: ['update_port', 'update_port:binding:host_id'] {{(pid=5814) log_rule_list /opt/stack/neutron/neutron/policy.py:457}}
febr 13 14:03:42 devstack0 neutron-server[5814]: DEBUG neutron.policy [None req-9fa226e6-2ae5-4abe-9b70-efc749ef4913 None demo] Failed policy enforce for 'update_port' {{(pid=5814) enforce /opt/stack/neutron/neutron/policy.py:530}}

The non-default policy configuration is looked up by oslo.policy in /etc/neutron/policy.{json,yaml}. Today I believe the yaml format is preferred. But for some reason devstack still created the old json format for me. So first I migrated the one-line json file to yaml:

$ cat /etc/neutron/policy.json
{"context_is_admin": "role:admin or user_name:neutron"}

$ cat /etc/neutron/policy.yaml
"context_is_admin": "role:admin or user_name:neutron"

I believe this all was deployment (here devstack) specific.

I also told oslo.policy running in neutron-server to use the yaml formatted file:
/etc/neutron/neutron.conf:
[oslo_policy]
policy_file = /etc/neutron/policy.yaml

Then I changed the policy for port binding from the default:
"update_port:binding:host_id": "rule:admin_only" to
"update_port:binding:host_id": "rule:admin_or_owner"

After this change the above "openstack port set --host" starts working. Even without restarting neutron-server.

In your environment of course you want to use a different rule, maybe something like this:
"update_port:binding:host_id": "(rule:admin_only) or (rule:service_api)"

Since I don't have ironic in this environment, I could not test this rule. But please have a look at the documentation, I'm virtually sure there's a way to set what you need.

https://docs.openstack.org/neutron/latest/configuration/policy.html
https://docs.openstack.org/neutron/latest/configuration/policy-sample.html
https://docs.openstack.org/oslo.policy/latest/

Regarding the default, I believe for most environments it is good that only the admin can change port bindings. If you believe differently, please share your reasons. Until then I'm marking this as not a bug.

Regards,
Bence

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/909075

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron-lib/+/909366

Reviewed: https://review.opendev.org/c/openstack/neutron-lib/+/909366
Committed: https://opendev.org/openstack/neutron-lib/commit/3aec8fdfeeb469419c9a6760355e203a1bc8a790
Submitter: "Zuul (22348)"
Branch: master

commit 3aec8fdfeeb469419c9a6760355e203a1bc8a790
Author: Slawek Kaplonski <email address hidden>
Date: Mon Feb 19 09:08:54 2024 +0100

    [S-RBAC] Add note about port:binding:profile field and SERVICE role

    With new default API policies binding:profile attribute of the port can
    be only set or updated by the SERVICE user. This patch adds small note
    about this to the Neutron API-REF document.

    Related-Bug: #2052937
    Change-Id: I0b2f2225e29537c9fd2de53b0945a451b9bcdde3

Reviewed: https://review.opendev.org/c/openstack/neutron/+/909075
Committed: https://opendev.org/openstack/neutron/commit/a644b3c62bab1ad3f1abb892811c00cf385415f9
Submitter: "Zuul (22348)"
Branch: master

commit a644b3c62bab1ad3f1abb892811c00cf385415f9
Author: Slawek Kaplonski <email address hidden>
Date: Thu Feb 15 09:50:27 2024 +0100

    [S-RBAC] Change policies for port's binding:profile field

    According to the neutron API-REF [1] port's "binding:profile" field is
    intended to be used for the "machine-machine communication for compute
    services like Nova, Ironic or Zun to pass information to a Neutron
    back-end." so it should be by allowed only for the users with the
    SERVICE role granted, not even for ADMIN.
    This patch updates that policies to be available only for SERVICE role
    when new, secure RBAC policies are enabled.

    Additionally this patch updates some policies for create, update and get
    port APIs to make them all work in the same way and allow them for the
    SERVICE users too.

    Finally this new policy for create/update_port:binding:profile have to
    be overwritten in the fullstack tests to be allowed also for admin user.
    It is done by adding custom policy file for the fullstack tests only.

    [1] https://docs.openstack.org/api-ref/network/v2/index.html#create-port

    Closes-Bug: #2052937
    Change-Id: I5c0094ff21439fe8977cfc623789a09067e6a895

nova has a job that was using a post hook for some extra sanity checks
https://review.opendev.org/c/openstack/nova/+/909859
i have removed that but until that merges nova-next is blocked.

note this also breaks the trusted_Vf feature.

that currently required humans to set "trusted": true in the binding profile as an admin

so we need to replace that with a port hint or new extensions to regurest that feature.

trusted vf i general a security risk which is why its an admin only feature and any port hint or extension should be admin only be defualt.

Reviewed: https://review.opendev.org/c/openstack/nova/+/909859
Committed: https://opendev.org/openstack/nova/commit/2dff0f1c76c9ade41c23dce217621be012d653f3
Submitter: "Zuul (22348)"
Branch: master

commit 2dff0f1c76c9ade41c23dce217621be012d653f3
Author: Sean Mooney <email address hidden>
Date: Thu Feb 22 12:06:42 2024 +0000

    [S-RBAC] adapt nova-next for port's binding:profile field change

    The binding:profile now requires the service user token
    to be sent when modifying the binding:profile
    see I5c0094ff21439fe8977cfc623789a09067e6a895

    This is not currently supported intentionally by the openstack
    client as humans and users of the openstack client should not
    be making requests with a service token.

    the nova next post hook had some addtioanl assertions where we injected
    a fake key in the binding:profile just to assert it was not
    deleted. This cant work anymore so it has been removed.

    Related-Bug: #2052937
    Change-Id: I5c155f0613107ccee63b502ae1fed7a865e67829

This issue was fixed in the openstack/neutron 24.0.0.0rc1 release candidate.