[openstack-dev] [Neutron] Elevating context to remove subnets created by admin

Carl Baldwin carl at ecbaldwin.net
Fri Jun 3 20:02:52 UTC 2016 

On Fri, Jun 3, 2016 at 11:16 AM, Darek Smigiel
<smigiel.dariusz at gmail.com> wrote:
> Hello,
> Doing reviews I noticed, that Liu Yong submitted a bug [1] where we have a problem with removing subnets.

This makes me wonder what the use case that gets in to this situation.

> In short: if tenant wants to delete network with subnets, where at least one of subnets is created by admin, he’s not able to do this.
> Liu also prepared bugfix for it [2], but now it’s starting to be much more complicated.
>
> What is desired solution in this case?
> One of suggestions is to elevate context, remove all subnets and nuke everything. It can cause a problem, when one tenant can remove others’ tenant subnets.

Ignoring implementation details, I think if I own a network, I ought
to be able to delete it regardless of who has created subnets on it.
A network is composed of subnets.  They are nothing more than the IPAM
details of the network.  I usually think of subnets as part of the
network for this reason.  I'm not even sure why a subnet has its own
owner that is allowed to be different from the network owner.

There only place where I've seen access to a network differ from
access to the subnets is on a shared network where regular tenants
have not been able to view the subnets on an admin-owned shared
network.  I'm not even sure this is important.

I think ports are a little different.  A port represents a connection
from something (like a VM) to the network.  Depending on what ports
exist on a network we should (and do) prevent the deletion of the
network.

> The other is to just show info to tenant, that he’s not allowed to delete network. But in the same time, it could be strange, that owner is not able to just get rid of *his* network and subnets.

Its like if I owned a car but my neighbor owned the seats.  I can't
sell or dispose of the car without my neighbor's permission?  That
doesn't make any sense.

> If you have any opinions, suggestions, please feel free to share

I think we need to figure out how to enable deleting the network
without error.  We can take that up in the review.

Carl

> [1] https://bugs.launchpad.net/neutron/+bug/1588228
> [2] https://review.openstack.org/#/c/324617/

More information about the OpenStack-dev mailing list