Reviewed: https://review.opendev.org/c/openstack/neutron/+/935278
Committed:
https://opendev.org/openstack/neutron/commit/90d836bc420ccd309196ece7908b41b9e2c4f766
Submitter: "Zuul (22348)"
Branch: master
commit 90d836bc420ccd309196ece7908b41b9e2c4f766
Author: Rodolfo Alonso Hernandez <ralon...@redhat.com>
Date: Fri Nov 15 11:08:19 2024 +0000
Filter out the floating IPs when removing a shared RBAC
When a RBAC with action=access_as_shared is removed from a network, it
is checked first that there are no elements (ports) in this network
that could no longer exist due to the RBAC permissions reduction.
The floating IP related ports, that have project_id='' by definition,
should be removed from this check. These ports can be created due to
a RBAC with action=access_as_external. If a floating IP port is present
in the network, it should not block the RBAC with
action=access_as_shared removal.
Closes-Bug: #2075529
Change-Id: I7e31c21c04dc1ef26f5f05537ca0d2cb8f5ca505
** Changed in: neutron
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2075529
Title:
Unable to delete "access_as_shared" RBAC policy
Status in neutron:
Fix Released
Bug description:
I encounter a very strange behavior when I try to add and delete the
"access_as_shared" RBAC policy.
I can add it successfully, but the subsequent delete doesn't work:
openstack network rbac create ... # SUCCESS
openstack network rbac delete $ID # FAIL
Pre-requirements:
- The network is external.
- There is a floating IP or router in the network.
Here is a demo:
Creating an external network and a Floating IP address:
[root@devoct30 ~]# openstack network create net0 --external -c id -f value
9e3285c5-6034-4851-bd72-02d24f5e3f98
[root@devoct30 ~]# openstack subnet create sub --network net0 --subnet-range
192.168.100.0/24 --no-dhcp
[root@devoct30 ~]# openstack floating ip create net0
[root@devoct30 ~]# openstack network rbac list --long
+--------------------------------------+-------------+--------------------------------------+--------------------+
| ID | Object Type | Object ID
| Action |
+--------------------------------------+-------------+--------------------------------------+--------------------+
| 324163f7-b79f-493e-a78d-58da0990830e | network |
9e3285c5-6034-4851-bd72-02d24f5e3f98 | access_as_external |
+--------------------------------------+-------------+--------------------------------------+--------------------+
[root@devoct30 ~]#
Adding the "access_as_shared" RBAC policy and trying to delete it:
[root@devoct30 ~]# openstack network rbac create
9e3285c5-6034-4851-bd72-02d24f5e3f98 --type network --action access_as_shared
--target-all-projects
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| action | access_as_shared |
| id | 4eff94d8-f872-41b3-b3ce-71cdcb40d2e6 |
| object_id | 9e3285c5-6034-4851-bd72-02d24f5e3f98 |
| object_type | network |
| project_id | af61bf69ee0a4a7db97d2dd640d967c2 |
| target_project_id | * |
+-------------------+--------------------------------------+
[root@devoct30 ~]# openstack network rbac list --long
+--------------------------------------+-------------+--------------------------------------+--------------------+
| ID | Object Type | Object ID
| Action |
+--------------------------------------+-------------+--------------------------------------+--------------------+
| 324163f7-b79f-493e-a78d-58da0990830e | network |
9e3285c5-6034-4851-bd72-02d24f5e3f98 | access_as_external |
| 4eff94d8-f872-41b3-b3ce-71cdcb40d2e6 | network |
9e3285c5-6034-4851-bd72-02d24f5e3f98 | access_as_shared |
+--------------------------------------+-------------+--------------------------------------+--------------------+
[root@devoct30 ~]#
[root@devoct30 ~]# openstack network rbac delete
4eff94d8-f872-41b3-b3ce-71cdcb40d2e6
Failed to delete RBAC policy with ID '4eff94d8-f872-41b3-b3ce-71cdcb40d2e6':
ConflictException: 409: Client Error for url:
http://10.136.19.166:9696/networking/v2.0/rbac-policies/4eff94d8-f872-41b3-b3ce-71cdcb40d2e6,
RBAC policy on object 9e3285c5-6034-4851-bd72-02d24f5e3f98 cannot be removed
because other objects depend on it.
Details: Callback
neutron.plugins.ml2.plugin.NeutronDbPluginV2.validate_network_rbac_policy_change-3919969
failed with "Unable to reconfigure sharing settings for network
9e3285c5-6034-4851-bd72-02d24f5e3f98. Multiple tenants are using it.",Callback
neutron.services.network_ip_availability.plugin.NeutronDbPluginV2.validate_network_rbac_policy_change-999219
failed with "Unable to reconfigure sharing settings for network
9e3285c5-6034-4851-bd72-02d24f5e3f98. Multiple tenants are using it.",Callback
neutron.services.network_ip_availability.plugin.NeutronDbPluginV2.validate_network_rbac_policy_change-994607
failed with "Unable to reconfigure sharing settings for network
9e3285c5-6034-4851-bd72-02d24f5e3f98. Multiple tenants are using it."
1 of 1 RBAC policies failed to delete.
[root@devoct30 ~]#
Environment:
single devstack installation from master branch
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2075529/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
