neutron

[RFE] Add 'trusted_vif' field to the port attributes

Bug #2060916 reported by Slawek Kaplonski on 2024-04-11

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Wishlist	Slawek Kaplonski

Bug Description

Currently 'trusted=true' can be passed to Neutron by admin user through the port's "binding:profile" field but this field originally was intended to be used only for the machine-machine communication, and not to be used by any cloud user. There is even info about that in the api-ref:

"A dictionary that enables the application running on the specific host to pass and receive vif port information specific to the networking back-end. This field is only meant for machine-machine communication for compute services like Nova, Ironic or Zun to pass information to a Neutron back-end. It should not be used by multiple services concurrently or by cloud end users. The existing counterexamples (capabilities: [switchdev] for Open vSwitch hardware offload and trusted=true for Trusted Virtual Functions) are due to be cleaned up. The networking API does not define a specific format of this field. ..."

This will be even worst with the new S-RBAC policies where "binding:profile" field is allowed to be changed only for the SERVICE role users, not even for admins.

So this small RFE is proposal to add new API extension which will add field, like "trusted_vif" to the port object. This field would be then accesible for ADMIN role users in the Secure-RBAC policies.

Tags:

Slawek Kaplonski (slaweq) on 2024-04-11

Changed in neutron:
importance:	Undecided → Wishlist

Revision history for this message

Liu Xie (liushy) wrote on 2024-04-15:

Hi, does this RFE aim to specify that the 'trusted_vif' field and 'port_security' are set to false for the port?

Brian Haley (brian-haley) on 2024-04-25

tags:	added: rfe-triaged
tags:	added: rfe-confirmed

Revision history for this message

Slawek Kaplonski (slaweq) wrote on 2024-06-25:

@Liu Xie: this RFE is not going to target any specific, new valid setting of that field. It is only about introducing new API parameter for port to store that 'trusted_vif' field and not to set it in the binding:profile field directly.

Brian Haley (brian-haley) on 2024-06-28

tags:

added: rfe-approved
removed: rfe-confirmed rfe-triaged

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-07-10: Related fix proposed to neutron-lib (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron-lib/+/923860

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-08-09: Related fix proposed to neutron (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/926068

OpenStack Infra (hudson-openstack) on 2024-08-30

Changed in neutron:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-09-02: Related fix proposed to neutron-tempest-plugin (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/927737

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-09-06: Fix merged to neutron (master)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/926068
Committed: https://opendev.org/openstack/neutron/commit/104cbf9e60001329968bcab2e6d95ef38168cbc5
Submitter: "Zuul (22348)"
Branch: master

commit 104cbf9e60001329968bcab2e6d95ef38168cbc5
Author: Slawek Kaplonski <email address hidden>
Date: Fri Aug 9 16:47:04 2024 +0200

Add trusted vif api extension for the port

    This patch adds implementation of the "port_trusted_vif" API extension
    as ml2 extension.
    With this extension enabled, it is now possible for ADMIN users to set
    port as trusted without modifying directly 'binding:profile' field
    which is supposed to be just for machine to machine communication.

    Value set in the 'trusted' attribute of the port is included in the
    port's binding:profile so that it is still in the same place where e.g.
    Nova expects it.

    For now setting this flag directly in the port's binding:profile field
    is not forbidden and only warning is generated in such case but in
    future releases it should be forbiden and only allowed to be done using
    this new attribute of the port resource.

    This patch implements also definition of the new API extension directly
    in Neutron. It is temporary and will be removed once patch [1] in
    neutron-lib will be merged and released.

[1] https://review.opendev.org/c/openstack/neutron-lib/+/923860

Closes-Bug: #2060916
Change-Id: I69785c5d72a5dc659c5a2f27e043c686790b4d2b

Changed in neutron:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-09-06: Related fix merged to neutron-tempest-plugin (master)

Reviewed: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/927737
Committed: https://opendev.org/openstack/neutron-tempest-plugin/commit/65b00c0ee0d3350232bae22764d5d7acfa873dd0
Submitter: "Zuul (22348)"
Branch: master

commit 65b00c0ee0d3350232bae22764d5d7acfa873dd0
Author: Slawek Kaplonski <email address hidden>
Date: Mon Sep 2 15:20:59 2024 +0200

Add tests for the 'trusted' attribute in port resource

    This patch adds admin API tests for the trusted attribute of the port
    resources. Tests are checking if port created with 'trusted' attribute
    set have it set correctly in 'trusted' attribute and in the
    binding:profile. Second test checks the same but using update port API
    call.

Depends-On: https://review.opendev.org/c/openstack/neutron/+/926068

Related-Bug: #2060916
Change-Id: Idcadaed240f156312fbe38eb9b20c9699eea3282

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-09-11: Related fix merged to neutron-lib (master)

Reviewed: https://review.opendev.org/c/openstack/neutron-lib/+/923860
Committed: https://opendev.org/openstack/neutron-lib/commit/86504426650457bfaf52c505b79bd96b7f200f51
Submitter: "Zuul (22348)"
Branch: master

commit 86504426650457bfaf52c505b79bd96b7f200f51
Author: Slawek Kaplonski <email address hidden>
Date: Wed Jul 10 16:44:29 2024 +0200

Add port trusted vif extension

This new extension allows to set port to be trusted. That value will be
then passed to Nova in the port's binding:profile dict.

Related-Bug: #2060916
Change-Id: Ia809fb0a35cc764ad017d81b018efc81b6de8500

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-09-13: Fix included in openstack/neutron 25.0.0.0rc1

This issue was fixed in the openstack/neutron 25.0.0.0rc1 release candidate.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-10-11: Related fix proposed to neutron (master)

#10

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/932181

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-11-08: Related fix merged to neutron (master)

#11

Reviewed: https://review.opendev.org/c/openstack/neutron/+/932181
Committed: https://opendev.org/openstack/neutron/commit/a0709a824086e8c3f19ad58b9e60d350fbd8434c
Submitter: "Zuul (22348)"
Branch: master

commit a0709a824086e8c3f19ad58b9e60d350fbd8434c
Author: Slawek Kaplonski <email address hidden>
Date: Fri Oct 11 16:47:14 2024 +0200

Use 'port-trusted-vif' api extension definition from neutron-lib

It was introduced in neutron-lib 3.16.

TrivialFix

Depends-On: https://review.opendev.org/c/openstack/requirements/+/932074

Related-bug: #2060916
Change-Id: I752e373e5217a9d34c5dd55ea4c6a0eebd2ff79f

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.