Create/update port binding:* policies are admin only, which prevents for example ironic service user with service role to manage baremetal ports:
"http://192.0.2.10:9292", "region": "RegionOne"}], "id": "e6e42ef4fc984e71b575150e59a92704", "type": "image", "name": "glance"}]}} get_auth_ref /var/lib/kolla/venv/lib64/python3.9/site-packages/keystoneauth1/identity/v3/base.py:189
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron [None req-6737aef3-c823-4f7c-95ec-1c9f38b14faa a4dbb0dc59024c199843cea86603308b 9fd64a4cbd774756869cb3968de2e9b6 - - default default] Unable to clear binding profile for neutron port 291dbb7b-5cc8-480d-b39d-eb849bcb4a64. Error: ForbiddenException: 403: Client Error for url: http://192.0.2.10:9696/v2.0/ports/291dbb7b-5cc8-480d-b39d-eb849bcb4a64, ((rule:update_port and rule:update_port:binding:host_id) and rule:update_port:binding:profile) is disallowed by policy: openstack.exceptions.ForbiddenException: ForbiddenException: 403: Client Error for url: http://192.0.2.10:9696/v2.0/ports/291dbb7b-5cc8-480d-b39d-eb849bcb4a64, ((rule:update_port and rule:update_port:binding:host_id) and rule:update_port:binding:profile) is disallowed by policy
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron Traceback (most recent call last):
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron File "/var/lib/kolla/venv/lib64/python3.9/site-packages/ironic/common/neutron.py", line 130, in unbind_neutron_port
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron update_neutron_port(context, port_id, attrs_unbind, client)
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron File "/var/lib/kolla/venv/lib64/python3.9/site-packages/ironic/common/neutron.py", line 109, in update_neutron_port
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron return client.update_port(port_id, **attrs)
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron File "/var/lib/kolla/venv/lib64/python3.9/site-packages/openstack/network/v2/_proxy.py", line 2992, in update_port
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron return self._update(_port.Port, port, if_revision=if_revision, **attrs)
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron File "/var/lib/kolla/venv/lib64/python3.9/site-packages/openstack/proxy.py", line 61, in check
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron return method(self, expected, actual, *args, **kwargs)
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron File "/var/lib/kolla/venv/lib64/python3.9/site-packages/openstack/network/v2/_proxy.py", line 202, in _update
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron return res.commit(self, base_path=base_path, if_revision=if_revision)
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron File "/var/lib/kolla/venv/lib64/python3.9/site-packages/openstack/resource.py", line 1803, in commit
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron return self._commit(
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron File "/var/lib/kolla/venv/lib64/python3.9/site-packages/openstack/resource.py", line 1848, in _commit
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron self._translate_response(response, has_body=has_body)
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron File "/var/lib/kolla/venv/lib64/python3.9/site-packages/openstack/resource.py", line 1287, in _translate_response
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron exceptions.raise_from_response(response, error_message=error_message)
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron File "/var/lib/kolla/venv/lib64/python3.9/site-packages/openstack/exceptions.py", line 250, in raise_from_response
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron raise cls(
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron openstack.exceptions.ForbiddenException: ForbiddenException: 403: Client Error for url: http://192.0.2.10:9696/v2.0/ports/291dbb7b-5cc8-480d-b39d-eb849bcb4a64, ((rule:update_port and rule:update_port:binding:host_id) and rule:update_port:binding:profile) is disallowed by policy
Hi Bartosz,
Yes, by default this is prohibited. However oslo.policy based policies are configurable.
For example, in my devstack I don't have ironic deployed, but I reproduced the problem using the unprivileged 'demo' user:
$ source openrc demo demo 192.168. 122.225: 9696/networking /v2.0/ports/ 4d6fa1c1- bbb0-4298- a901-c3dec7f1b1 f1, (rule:update_port and rule:update_ port:binding: host_id) is disallowed by policy
$ openstack network create net0
$ openstack subnet create --network net0 --subnet-range 10.0.0.0/24 subnet0
$ openstack port create --network net0 port0
$ openstack port set --host devstack0 port0
ForbiddenException: 403: Client Error for url: http://
While in q-svc logs I had this:
febr 13 14:03:42 devstack0 neutron- server[ 5814]: DEBUG neutron.policy [None req-9fa226e6- 2ae5-4abe- 9b70-efc749ef49 13 None demo] Enforcing rules: ['update_port', 'update_ port:binding: host_id' ] {{(pid=5814) log_rule_list /opt/stack/ neutron/ neutron/ policy. py:457} } server[ 5814]: DEBUG neutron.policy [None req-9fa226e6- 2ae5-4abe- 9b70-efc749ef49 13 None demo] Failed policy enforce for 'update_port' {{(pid=5814) enforce /opt/stack/ neutron/ neutron/ policy. py:530} }
febr 13 14:03:42 devstack0 neutron-
The non-default policy configuration is looked up by oslo.policy in /etc/neutron/ policy. {json,yaml} . Today I believe the yaml format is preferred. But for some reason devstack still created the old json format for me. So first I migrated the one-line json file to yaml:
$ cat /etc/neutron/ policy. json is_admin" : "role:admin or user_name:neutron"}
{"context_
$ cat /etc/neutron/ policy. yaml
"context_is_admin": "role:admin or user_name:neutron"
I believe this all was deployment (here devstack) specific.
I also told oslo.policy running in neutron-server to use the yaml formatted file: neutron. conf: policy. yaml
/etc/neutron/
[oslo_policy]
policy_file = /etc/neutron/
Then I changed the policy for port binding from the default: port:binding: host_id" : "rule:admin_only" to port:binding: host_id" : "rule:admin_ or_owner"
"update_
"update_
After this change the above "openstack port set --host" starts working. Even without restarting neutron-server.
In your environment of course you want to use a different rule, maybe something like this: port:binding: host_id" : "(rule:admin_only) or (rule:service_api)"
"update_
Since I don't have ironic in this environment, I could not test this rule. But please have a look at the documentation, I'm virtually sure there's a way to set what you need.
https:/ /docs.openstack .org/neutron/ latest/ configuration/ policy. html /docs.openstack .org/neutron/ latest/ configuration/ policy- sample. html /docs.openstack .org/oslo. policy/ latest/
https:/
https:/
Regarding the default, I believe for most environments it is good that only the admin can change port bindings. If you believe differently, please share your reasons. Until then I'm marking this as not a bug.
Regards,
Bence