The non-default policy configuration is looked up by oslo.policy in /etc/neutron/policy.{json,yaml}. Today I believe the yaml format is preferred. But for some reason devstack still created the old json format for me. So first I migrated the one-line json file to yaml:
$ cat /etc/neutron/policy.json
{"context_is_admin": "role:admin or user_name:neutron"}
$ cat /etc/neutron/policy.yaml
"context_is_admin": "role:admin or user_name:neutron"
I believe this all was deployment (here devstack) specific.
I also told oslo.policy running in neutron-server to use the yaml formatted file:
/etc/neutron/neutron.conf:
[oslo_policy]
policy_file = /etc/neutron/policy.yaml
Then I changed the policy for port binding from the default:
"update_port:binding:host_id": "rule:admin_only" to
"update_port:binding:host_id": "rule:admin_or_owner"
After this change the above "openstack port set --host" starts working. Even without restarting neutron-server.
In your environment of course you want to use a different rule, maybe something like this:
"update_port:binding:host_id": "(rule:admin_only) or (rule:service_api)"
Since I don't have ironic in this environment, I could not test this rule. But please have a look at the documentation, I'm virtually sure there's a way to set what you need.
Regarding the default, I believe for most environments it is good that only the admin can change port bindings. If you believe differently, please share your reasons. Until then I'm marking this as not a bug.
Hi Bartosz,
Yes, by default this is prohibited. However oslo.policy based policies are configurable.
For example, in my devstack I don't have ironic deployed, but I reproduced the problem using the unprivileged 'demo' user:
$ source openrc demo demo 192.168. 122.225: 9696/networking /v2.0/ports/ 4d6fa1c1- bbb0-4298- a901-c3dec7f1b1 f1, (rule:update_port and rule:update_ port:binding: host_id) is disallowed by policy
$ openstack network create net0
$ openstack subnet create --network net0 --subnet-range 10.0.0.0/24 subnet0
$ openstack port create --network net0 port0
$ openstack port set --host devstack0 port0
ForbiddenException: 403: Client Error for url: http://
While in q-svc logs I had this:
febr 13 14:03:42 devstack0 neutron- server[ 5814]: DEBUG neutron.policy [None req-9fa226e6- 2ae5-4abe- 9b70-efc749ef49 13 None demo] Enforcing rules: ['update_port', 'update_ port:binding: host_id' ] {{(pid=5814) log_rule_list /opt/stack/ neutron/ neutron/ policy. py:457} } server[ 5814]: DEBUG neutron.policy [None req-9fa226e6- 2ae5-4abe- 9b70-efc749ef49 13 None demo] Failed policy enforce for 'update_port' {{(pid=5814) enforce /opt/stack/ neutron/ neutron/ policy. py:530} }
febr 13 14:03:42 devstack0 neutron-
The non-default policy configuration is looked up by oslo.policy in /etc/neutron/ policy. {json,yaml} . Today I believe the yaml format is preferred. But for some reason devstack still created the old json format for me. So first I migrated the one-line json file to yaml:
$ cat /etc/neutron/ policy. json is_admin" : "role:admin or user_name:neutron"}
{"context_
$ cat /etc/neutron/ policy. yaml
"context_is_admin": "role:admin or user_name:neutron"
I believe this all was deployment (here devstack) specific.
I also told oslo.policy running in neutron-server to use the yaml formatted file: neutron. conf: policy. yaml
/etc/neutron/
[oslo_policy]
policy_file = /etc/neutron/
Then I changed the policy for port binding from the default: port:binding: host_id" : "rule:admin_only" to port:binding: host_id" : "rule:admin_ or_owner"
"update_
"update_
After this change the above "openstack port set --host" starts working. Even without restarting neutron-server.
In your environment of course you want to use a different rule, maybe something like this: port:binding: host_id" : "(rule:admin_only) or (rule:service_api)"
"update_
Since I don't have ironic in this environment, I could not test this rule. But please have a look at the documentation, I'm virtually sure there's a way to set what you need.
https:/ /docs.openstack .org/neutron/ latest/ configuration/ policy. html /docs.openstack .org/neutron/ latest/ configuration/ policy- sample. html /docs.openstack .org/oslo. policy/ latest/
https:/
https:/
Regarding the default, I believe for most environments it is good that only the admin can change port bindings. If you believe differently, please share your reasons. Until then I'm marking this as not a bug.
Regards,
Bence