OpenStack Compute (nova)

network:attach_external_network policy check outside nova-api

Bug #1675486 reported by Matthew Edmonds
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Confirmed
Low
Unassigned

Bug Description

The "network:attach_external_network" policy is being checked in nova-compute rather than in nova-api.

1) Only the api process should be doing policy checks.
2) Someone who wants to override policy for this would have to put a policy.json file on each host, which is certainly problematic.
3) There's talk of splitting nova-compute out of nova into its own project, which obviously shouldn't rely on nova's policy file.

This apparently came up on the mailing list [1] a while ago, but it doesn't seem like anything has been done about it so far. Still this way in master. See that mailing list thread for much more information and talk of possible solutions.

johnthetubaguy also noted via irc [2] that the neutron refactor work is heading in a direction that may fix this.

[1] https://openstack.nimeyo.com/87011/openstack-policy-check-network-attach_external_network
[2] http://eavesdrop.openstack.org/irclogs/%23openstack-nova/%23openstack-nova.2017-03-23.log.html#t2017-03-23T16:24:39

Tags: network policy
Matt Riedemann (mriedem)
Changed in nova:
status: New → Confirmed
importance: Undecided → Low
tags: added: network policy
space (fengzhr)
Changed in nova:
assignee: nobody → space (fengzhr)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/449598

Changed in nova:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on nova (master)

Change abandoned by Sean Dague (<email address hidden>) on branch: master
Review: https://review.openstack.org/449598
Reason: This review is > 4 weeks without comment, and is not mergable in it's current state. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Revision history for this message
Sean Dague (sdague) wrote :

There are no currently open reviews on this bug, changing the status back to the previous state and unassigning. If there are active reviews related to this bug, please include links in comments.

Changed in nova:
status: In Progress → Confirmed
assignee: space (fengzhr) → nobody
Revision history for this message
melanie witt (melwitt) wrote :
Download full text (8.6 KiB)

One idea for addressing this is to remove the 'network:attach_external_network' policy check entirely and let neutron reject the request to create the port. This way, if an operator enables a tenant to attach to an external network, it will Just Work without the operator needing to push a policy config update to all nova-compute services.

******************

I have tested the behavior in a devstack environment and can confirm that server create will indeed fail on the neutron side if a tenant isn't permitted to attach to an external network. This gives some support to the idea of removing the policy check altogether and letting things fail on the neutron side if a tenant is not permitted to attach to an external network.

Note that the error message in the latter case is more vague and doesn't indicate that the network allocation step failed -- so a bit more work would be needed to ensure that we don't reschedule in the case where we receive the Forbidden error from neutron.

Default behavior (with 'network:attach_external_network' policy check):

$ openstack network list
+--------------------------------------+---------+----------------------------------------------------------------------------+
| ID | Name | Subnets |
 +--------------------------------------+---------+----------------------------------------------------------------------------+
| 69c9167d-5fb3-458e-bce0-5934dbb2469c | public | ec1d2d9a-51f3-44ba-ac01-5723eed5e81e, fe29bcbe-3a48-4db3-bb7b-48c2ac8b55a1 |
| 9b0c58a4-e843-4fd8-8256-db94893e7047 | private | a2d7ec6f-d10f-4e1a-8278-d3e6f4d5a7cf, a9ec851a-d0fe-4755-8024-d0c65619cdd1 |
| 9e9ceb79-8a78-41f7-b36f-ca89b57e90fb | shared | ae67aa07-b887-452f-9574-ffb307880566 |
 +--------------------------------------+---------+----------------------------------------------------------------------------+

$ openstack network show 69c9167d-5fb3-458e-bce0-5934dbb2469c
+---------------------------+----------------------------------------------------------------------------+
| Field | Value |
 +---------------------------+----------------------------------------------------------------------------+
[...]
| router:external | External |
 [...]

$ openstack server create --flavor 42 --image cirros-0.5.1-x86_64-disk --network 69c9167d-5fb3-458e-bce0-5934dbb2469c --wait pizza
Error creating server: pizza
Error creating server

$ openstack server list
+--------------------------------------+-------+--------+----------+--------------------------+---------+
| ID | Name | Status | Networks | Image | Flavor |
 +--------------------------------------+-------+--------+----------+--------------------------+---------+
| e60954fd-9e03-4a48-8650-606d1d4ffba8 | pizza | ERROR | | cirros-0.5.1-x86_64-disk | m1.nano |
 +--------------------------------------+-------+--------+----------+---------...

Read more...

Revision history for this message
melanie witt (melwitt) wrote :

Here's what neutron returns when it rejects a request to create a port on an external network:

INFO neutron.pecan_wsgi.hooks.translation [req-58fdb103-cd20-48c9-b73b-c9074061998c req-4d68df7e-e0fd-4b1e-9b57-733731123d46 demo demo] POST failed (client error): Tenant 7c60976c662a414cb2661831ff41ee30 not allowed to create port on this network
[...]
INFO neutron.wsgi [req-58fdb103-cd20-48c9-b73b-c9074061998c req-4d68df7e-e0fd-4b1e-9b57-733731123d46 demo demo] 127.0.0.1 "POST /v2.0/ports HTTP/1.1" status: 403 len: 360 time: 0.1582518

I've started a thread on the ML about the possibility of removing the nova-compute 'network:attach_external_network' policy check here:

http://lists.openstack.org/pipermail/openstack-discuss/2021-March/020876.html

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to nova (master)

Reviewed: https://review.opendev.org/c/openstack/nova/+/729918
Committed: https://opendev.org/openstack/nova/commit/b5edc294a112a4ed806ba8025d24d821121c1a53
Submitter: "Zuul (22348)"
Branch: master

commit b5edc294a112a4ed806ba8025d24d821121c1a53
Author: Stephen Finucane <email address hidden>
Date: Thu May 21 12:08:59 2020 +0100

    docs: Add man pages for 'nova-policy'

    I don't actually grok what this does that 'oslopolicy-checker' couldn't
    do, so perhaps we can deprecate this in the future. For now though,
    simply document the thing. While we're here, we make some additional
    related changes:

    - Remove references to the 'policy.yaml' file for services that don't
      use policy (i.e. everything except the API services and, due to a bug,
      the nova-compute service).
    - Update remaining references to the 'policy.yaml' file to include the
      'policy.d/' directory
    - Update the help text for the '--api-name' and '--target' options of
      the 'nova-policy policy check' command to correct tense and better
      explain their purpose.

    Also, yes, 'nova-policy policy check' is dumb. Don't blame me :)

    Change-Id: I913b0de9ec40a615da7bf9981852edef4a88fecb
    Signed-off-by: Stephen Finucane <email address hidden>
    Related-bug: #1675486

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.