Reviewed: https://review.opendev.org/c/openstack/neutron/+/945329
Committed:
https://opendev.org/openstack/neutron/commit/65b9dc622f00e4aeac0e4f9a71db690a377cd558
Submitter: "Zuul (22348)"
Branch: master
commit 65b9dc622f00e4aeac0e4f9a71db690a377cd558
Author: Tobias Urdin <tobias.ur...@binero.com>
Date: Mon Mar 24 16:16:25 2025 +0100
Allow service role more RBAC access for Octavia
This updates the default RBAC rules for multiple
resources to allow for a seamless integration with
Octavia without having to give Octavia system scope
admin in the entire cloud.
The current use of the service role in the RBAC
rules allows for pretty much all of the permissions
that Octavia needs today except for a few.
It needs get_subnet to be able to retrieve a subnet
and check the details, this is low impact as we
already allow get_network.
It also needs get_network_ip_availability because it
supports to automatically select a subnet (if none
is given) on a network based on the amount of
available IP addresses.
The default Amphora compute driver for Octavia uses
a keepalived and HAProxy implementation that uses
unicast VRRP for the VIP address, this VIP address
is added as an allowed address pair on the ports
for the amphora compute instances so the VIP port
itself is not bound.
Octavia also depends on being able to populate the
``device_id`` field on a port which means it also
needs this patch [1] together with this one.
[1] https://review.opendev.org/c/openstack/neutron/+/947003
Closes-Bug: #2105502
Change-Id: I089999cece698af1a3b54d1341d9004d4108ae44
** Changed in: neutron
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2105502
Title:
service role permissions not enough for octavia allowed address pair
driver
Status in neutron:
Fix Released
Bug description:
The octavia project's network driver need more permissions to work
without admin role, this is for the allowed address pair network
driver that allocates ports for tenant networks on a project that
octavia handles where it places amphora instances
This should be fixed so that it only needs to have the service role by
filling the gaps for the service role.
This is:
- get_subnet
- get_network_ip_availability
- allowed address pairs in create and update port
- device_id in create and update port as proposed in [1]
[1] https://review.opendev.org/c/openstack/neutron/+/861169
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2105502/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
