neutron

Bug #2052937
Comment #1

Comment 1 for bug 2052937

Revision history for this message

Bence Romsics (bence-romsics) wrote on 2024-02-13:

Hi Bartosz,

Yes, by default this is prohibited. However oslo.policy based policies are configurable.

For example, in my devstack I don't have ironic deployed, but I reproduced the problem using the unprivileged 'demo' user:

$ source openrc demo demo
$ openstack network create net0
$ openstack subnet create --network net0 --subnet-range 10.0.0.0/24 subnet0
$ openstack port create --network net0 port0
$ openstack port set --host devstack0 port0
ForbiddenException: 403: Client Error for url: http://192.168.122.225:9696/networking/v2.0/ports/4d6fa1c1-bbb0-4298-a901-c3dec7f1b1f1, (rule:update_port and rule:update_port:binding:host_id) is disallowed by policy

While in q-svc logs I had this:

febr 13 14:03:42 devstack0 neutron-server[5814]: DEBUG neutron.policy [None req-9fa226e6-2ae5-4abe-9b70-efc749ef4913 None demo] Enforcing rules: ['update_port', 'update_port:binding:host_id'] {{(pid=5814) log_rule_list /opt/stack/neutron/neutron/policy.py:457}}
febr 13 14:03:42 devstack0 neutron-server[5814]: DEBUG neutron.policy [None req-9fa226e6-2ae5-4abe-9b70-efc749ef4913 None demo] Failed policy enforce for 'update_port' {{(pid=5814) enforce /opt/stack/neutron/neutron/policy.py:530}}

The non-default policy configuration is looked up by oslo.policy in /etc/neutron/policy.{json,yaml}. Today I believe the yaml format is preferred. But for some reason devstack still created the old json format for me. So first I migrated the one-line json file to yaml:

$ cat /etc/neutron/policy.json
{"context_is_admin": "role:admin or user_name:neutron"}

$ cat /etc/neutron/policy.yaml
"context_is_admin": "role:admin or user_name:neutron"

I believe this all was deployment (here devstack) specific.

I also told oslo.policy running in neutron-server to use the yaml formatted file:
/etc/neutron/neutron.conf:
[oslo_policy]
policy_file = /etc/neutron/policy.yaml

Then I changed the policy for port binding from the default:
"update_port:binding:host_id": "rule:admin_only" to
"update_port:binding:host_id": "rule:admin_or_owner"

After this change the above "openstack port set --host" starts working. Even without restarting neutron-server.

In your environment of course you want to use a different rule, maybe something like this:
"update_port:binding:host_id": "(rule:admin_only) or (rule:service_api)"

Since I don't have ironic in this environment, I could not test this rule. But please have a look at the documentation, I'm virtually sure there's a way to set what you need.

https://docs.openstack.org/neutron/latest/configuration/policy.html
https://docs.openstack.org/neutron/latest/configuration/policy-sample.html
https://docs.openstack.org/oslo.policy/latest/

Regarding the default, I believe for most environments it is good that only the admin can change port bindings. If you believe differently, please share your reasons. Until then I'm marking this as not a bug.

Regards,
Bence