Public bug reported:
OS: Ubuntu 22.04
Openstack Release: Zed
Deployment tool: Kolla-ansible
Neutron Plugin: OVN
I have setup RBAC policy on my external network and here is the policy.yaml
file
"create_port:fixed_ips": "rule:context_is_advsvc or rule:network_owner or
rule:admin_only or rule:shared"
"create_port:fixed_ips:ip_address": "rule:context_is_advsvc or
rule:network_owner or rule:admin_only or rule:shared"
"create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or
rule:network_owner or rule:admin_only or rule:shared"
I have RBAC setup on following network to allow access to specific
project to access network.
# openstack network show public-network-948
+---------------------------+----------------------------------------------------------------------------+
| Field | Value
|
+---------------------------+----------------------------------------------------------------------------+
| admin_state_up | UP
|
| availability_zone_hints |
|
| availability_zones |
|
| created_at | 2023-09-01T20:31:36Z
|
| description |
|
| dns_domain |
|
| id | 5aacb586-c234-449e-a209-45fc63c8de26
|
| ipv4_address_scope | None
|
| ipv6_address_scope | None
|
| is_default | False
|
| is_vlan_transparent | None
|
| mtu | 1500
|
| name | public-network-948
|
| port_security_enabled | True
|
| project_id | 1ed68ab792854dc99c1b2d31bf90019b
|
| provider:network_type | None
|
| provider:physical_network | None
|
| provider:segmentation_id | None
|
| qos_policy_id | None
|
| revision_number | 9
|
| router:external | External
|
| segments | None
|
| shared | True
|
| status | ACTIVE
|
| subnets | d36886a2-99d3-4e2b-93ed-9e3cfabf5817,
dba7a427-dccb-4a5a-a8e0-23fcda64666d |
| tags |
|
| tenant_id | 1ed68ab792854dc99c1b2d31bf90019b
|
| updated_at | 2023-10-15T18:13:52Z
|
+---------------------------+----------------------------------------------------------------------------+
When normal user try to create port then getting following error:
# openstack port create --network public-network-1 --fixed-ip
subnet=dba7a427-dccb-4a5a-a8e0-23fcda64666d,ip-address=204.247.186.133 test1
ForbiddenException: 403: Client Error for url:
http://192.168.18.100:9696/v2.0/ports, (rule:create_port and
(rule:create_port:fixed_ips and (rule:create_port:fixed_ips:subnet_id and
rule:create_port:fixed_ips:ip_address))) is disallowed by policy
openstack in debug output: https://pastebin.com/act1n7cv
Reference Bug:
https://bugs.launchpad.net/neutron/+bug/1808112
https://bugs.launchpad.net/neutron/+bug/1833455
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2039464
Title:
disallowed by policy error when user try to create_port with fixed_Ips
Status in neutron:
New
Bug description:
OS: Ubuntu 22.04
Openstack Release: Zed
Deployment tool: Kolla-ansible
Neutron Plugin: OVN
I have setup RBAC policy on my external network and here is the policy.yaml
file
"create_port:fixed_ips": "rule:context_is_advsvc or rule:network_owner or
rule:admin_only or rule:shared"
"create_port:fixed_ips:ip_address": "rule:context_is_advsvc or
rule:network_owner or rule:admin_only or rule:shared"
"create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or
rule:network_owner or rule:admin_only or rule:shared"
I have RBAC setup on following network to allow access to specific
project to access network.
# openstack network show public-network-948
+---------------------------+----------------------------------------------------------------------------+
| Field | Value
|
+---------------------------+----------------------------------------------------------------------------+
| admin_state_up | UP
|
| availability_zone_hints |
|
| availability_zones |
|
| created_at | 2023-09-01T20:31:36Z
|
| description |
|
| dns_domain |
|
| id | 5aacb586-c234-449e-a209-45fc63c8de26
|
| ipv4_address_scope | None
|
| ipv6_address_scope | None
|
| is_default | False
|
| is_vlan_transparent | None
|
| mtu | 1500
|
| name | public-network-948
|
| port_security_enabled | True
|
| project_id | 1ed68ab792854dc99c1b2d31bf90019b
|
| provider:network_type | None
|
| provider:physical_network | None
|
| provider:segmentation_id | None
|
| qos_policy_id | None
|
| revision_number | 9
|
| router:external | External
|
| segments | None
|
| shared | True
|
| status | ACTIVE
|
| subnets | d36886a2-99d3-4e2b-93ed-9e3cfabf5817,
dba7a427-dccb-4a5a-a8e0-23fcda64666d |
| tags |
|
| tenant_id | 1ed68ab792854dc99c1b2d31bf90019b
|
| updated_at | 2023-10-15T18:13:52Z
|
+---------------------------+----------------------------------------------------------------------------+
When normal user try to create port then getting following error:
# openstack port create --network public-network-1 --fixed-ip
subnet=dba7a427-dccb-4a5a-a8e0-23fcda64666d,ip-address=204.247.186.133 test1
ForbiddenException: 403: Client Error for url:
http://192.168.18.100:9696/v2.0/ports, (rule:create_port and
(rule:create_port:fixed_ips and (rule:create_port:fixed_ips:subnet_id and
rule:create_port:fixed_ips:ip_address))) is disallowed by policy
openstack in debug output: https://pastebin.com/act1n7cv
Reference Bug:
https://bugs.launchpad.net/neutron/+bug/1808112
https://bugs.launchpad.net/neutron/+bug/1833455
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2039464/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
