Hi
The issue seems to be the following default config in Neutron policy
"create_router:external_gateway_info:enable_snat": "rule:admin_only",
"update_router:external_gateway_info:enable_snat": "rule:admin_only",
Puzzling part is from horizon when I set an external gateway for a router is it
not the same thing as above. How does it allow it from horizon than?
Ajay
From: "Ian Wells (iawells)" <iawe...@cisco.com<mailto:iawe...@cisco.com>>
Date: Friday, July 11, 2014 at 10:56 AM
To: akalambu <akala...@cisco.com<mailto:akala...@cisco.com>>, "OpenStack
Development Mailing List (not for usage questions)"
<openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>>
Cc: "openstack-systems-group(mailer list)"
<openstack-systems-gr...@cisco.com<mailto:openstack-systems-gr...@cisco.com>>
Subject: Re: Neutron permission issue
Check /etc/neutron/policy.json, but I agree that's weird...
--
Ian.
From: "Ajay Kalambur (akalambu)" <akala...@cisco.com<mailto:akala...@cisco.com>>
Date: Friday, 11 July 2014 10:05
To: "OpenStack Development Mailing List (not for usage questions)"
<openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>>
Cc: "openstack-systems-group(mailer list)"
<openstack-systems-gr...@cisco.com<mailto:openstack-systems-gr...@cisco.com>>
Subject: Neutron permission issue
Hi
As a tenant when I try to create a router and associate a gateway with the
router as a two step process in Horizon things work fine.
Now when I want to do the same thing through a create router API call with
request below I get permission denied to create router
{
"router":
{
"name": "another_router",
"admin_state_up": true,
"external_gateway_info": {
"network_id": "3c5bcddd-6af9-4e6b-9c3e-c153e521cab8",
"enable_snat": false}
}
}
The network id in both cases is the same. This does not make sense to me
Traceback (most recent call last):
File "vm-tp.py", line 54, in setUp
ext_router = self.net.create_router(CONF.ROUTER_NAME, ext_net['id'])
File "/Users/akalambu/python_venv/latest_code/pns/network.py", line 121, in
create_router
router = self.neutron_client.create_router(body)
File
"/Users/akalambu/python_venv/venv/lib/python2.7/site-packages/neutronclient/v2_0/client.py",
line 101, in with_params
ret = self.function(instance, *args, **kwargs)
File
"/Users/akalambu/python_venv/venv/lib/python2.7/site-packages/neutronclient/v2_0/client.py",
line 398, in create_router
return self.post(self.routers_path, body=body)
File
"/Users/akalambu/python_venv/venv/lib/python2.7/site-packages/neutronclient/v2_0/client.py",
line 1320, in post
headers=headers, params=params)
File
"/Users/akalambu/python_venv/venv/lib/python2.7/site-packages/neutronclient/v2_0/client.py",
line 1243, in do_request
self._handle_fault_response(status_code, replybody)
File
"/Users/akalambu/python_venv/venv/lib/python2.7/site-packages/neutronclient/v2_0/client.py",
line 1211, in _handle_fault_response
exception_handler_v20(status_code, des_error_body)
File
"/Users/akalambu/python_venv/venv/lib/python2.7/site-packages/neutronclient/v2_0/client.py",
line 68, in exception_handler_v20
status_code=status_code)
Forbidden: Policy doesn't allow create_router to be performed.
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
