[Yahoo-eng-team] [Bug 1942615] Re: [RFE] SG shared through RBAC mechanism can't be used to spawn instances

[Brendon Harris]

** Also affects: ubuntu
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1942615

Title:
  [RFE] SG shared through RBAC mechanism can't be used to spawn
  instances

Status in neutron:
  In Progress
Status in Ubuntu:
  New

Bug description:
  Since some time Security groups can be shared with specific tenants
  using RBAC mechanism but it's not possible to share SG that way with
  TARGET-PROJECT and then, as a member or admin in that TARGET-PROJECT
  spawn vm which will use that SG:

  $ openstack server create --image cirros-0.5.1-x86_64-disk --flavor m1.tiny 
--network TARGET-PROJECT-net1 --security-group sharedsg --wait testsg004
  /usr/lib/python3/dist-packages/secretstorage/dhcrypto.py:15: 
CryptographyDeprecationWarning: int_from_bytes is deprecated, use 
int.from_bytes instead
    from cryptography.utils import int_from_bytes
  /usr/lib/python3/dist-packages/secretstorage/util.py:19: 
CryptographyDeprecationWarning: int_from_bytes is deprecated, use 
int.from_bytes instead
    from cryptography.utils import int_from_bytes
  Error creating server: testsg004
  Error creating server

  
  It is like that because nova in 
https://github.com/openstack/nova/blob/713b653fc0e09301a5674316a49a6f5ffd152b4c/nova/network/neutron.py#L814
 is asking for security groups filtered by tenant_id. And Neutron returns only 
SGs which are owned to that tenant, without the ones shared with tenant using 
RBAC.

  Looking at neutron api-ref https://docs.openstack.org/api-
  ref/network/v2/index.html?expanded=list-networks-detail,list-security-
  groups-detail#security-groups-security-groups it clearly says that it
  filters by tenant_id that OWNS the resource so it seems like correct
  (documented) behaviour.

  Now the question is - should we relax that filter and return SG which
  project owns and which are shared with tenant? Or should we add
  additional flag to API, like "include_shared" which could be used by
  Nova? Or maybe do You have any other ideas about how to solve that
  issue?

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1942615/+subscriptions


-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp