Hello Roman:
This is the default security policy for non-admin users. By default, a
non-admin user cannot create a port defining the flags "--disable-port-
security" or "--enable-port-security". A non-admin user must create a
port with "--enable-port-security" implicitly defined.
To avoid this default rule, you can change your Neutron policy file, adding a
rule similar to the "create_port" one:
"create_port:port_security_enabled": "(rule:admin_only) or (role:member and
project_id:%(project_id)s)"
Take in mind that this is a potential security issue because you are
allowing non-admin users to create ports without any security.
I'm closing this bug.
Regards.
** Changed in: neutron
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2030747
Title:
Port creation on shared network fails with port_security defined
Status in neutron:
Invalid
Bug description:
OpenStack deployment: kolla-ansible 2023.1
Neutron version is reported as
ubuntu@os:~$ docker exec neutron_server neutron --version
neutron CLI is deprecated and will be removed in the Z cycle. Use openstack
CLI instead.
9.0.0
When user tries to create port on shared network, operation fails when option
[--enable-port-security | --disable-port-security]
is specified. If not, port created successfully with port_security_enabled =
True
ubuntu@os:~$ openstack port create --network
30e7e427-c5f7-46b2-b04d-3ebccff5c532 --fixed-ip
subnet=cf062558-3c32-48c3-96d1-dcaebad3ee71 --project
71558625372d467c85061759fd2e6bf8 --enable-port-security myport-01
ForbiddenException: 403: Client Error for url:
https://os-api:9696/v2.0/ports, ((rule:create_port and
(rule:create_port:fixed_ips and (rule:create_port:fixed_ips:subnet_id))) and
rule:create_port:port_security_enabled) is disallowed by policy
ubuntu@os:~$ openstack port create --network
30e7e427-c5f7-46b2-b04d-3ebccff5c532 --fixed-ip
subnet=cf062558-3c32-48c3-96d1-dcaebad3ee71 --project
71558625372d467c85061759fd2e6bf8 --disable-port-security myport-01
ForbiddenException: 403: Client Error for url:
https://os-api:9696/v2.0/ports, ((rule:create_port and
(rule:create_port:fixed_ips and (rule:create_port:fixed_ips:subnet_id))) and
rule:create_port:port_security_enabled) is disallowed by policy
ubuntu@os:~$ openstack port create --network
30e7e427-c5f7-46b2-b04d-3ebccff5c532 --fixed-ip
subnet=cf062558-3c32-48c3-96d1-dcaebad3ee71 --project
71558625372d467c85061759fd2e6bf8 myport-01
+-------------------------+--------------------------------------------------------------------------------+
| Field | Value
|
+-------------------------+--------------------------------------------------------------------------------+
| admin_state_up | UP
|
| allowed_address_pairs |
|
| binding_host_id | None
|
| binding_profile | None
|
| binding_vif_details | None
|
| binding_vif_type | None
|
| binding_vnic_type | normal
|
| created_at | 2023-08-08T11:56:10Z
|
| data_plane_status | None
|
| description |
|
| device_id |
|
| device_owner |
|
| device_profile | None
|
| dns_assignment | None
|
| dns_domain | None
|
| dns_name | None
|
| extra_dhcp_opts |
|
| fixed_ips | ip_address='100.100.100.100',
subnet_id='cf062558-3c32-48c3-96d1-dcaebad3ee71' |
| id | 19ba7a13-4f83-4b9f-81d1-2a2571758ef7
|
| ip_allocation | None
|
| mac_address | fa:16:3e:32:64:43
|
| name | myport-01
|
| network_id | 30e7e427-c5f7-46b2-b04d-3ebccff5c532
|
| numa_affinity_policy | None
|
| port_security_enabled | True
|
| project_id | 71558625372d467c85061759fd2e6bf8
|
| propagate_uplink_status | None
|
| qos_network_policy_id | 4898087a-930f-4cc8-ac8d-f464b81c2df1
|
| qos_policy_id | None
|
| resource_request | None
|
| revision_number | 1
|
| security_group_ids | da5cef69-0aa6-4dbf-ba5f-a57e68fadc3a
|
| status | DOWN
|
| tags |
|
| trunk_details | None
|
| updated_at | 2023-08-08T11:56:10Z
|
+-------------------------+--------------------------------------------------------------------------------+
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2030747/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
