[openstack-dev] [Neutron] Elevating context to remove subnets created by admin

Brandon Logan brandon.logan at RACKSPACE.COM
Fri Jun 3 20:33:58 UTC 2016


To me, it seems more appropriate to delete all the subnets no matter
who they're owned by if the owner of the network decided they wanted to
delete it.  If there is a subnet associated with their network that
they do not see, then the delete network call would have to fail.
 That's going to be quite confusing to a user, especially if they get a
message saying that a particular subnet is preventing the deletion and
the owner can't even see that subnet exists.

One thing I may not be thinking about is shared networks and/or rbac.
 I'm not sure some tenant/project can even create a subnet on another
tenant/project's shared/rbac'ed network.  I just attempted to do it
quickly on the CLI and it failed, but the error message was a big
policy splat.  I doubt that's even meant to happen, so perhaps this
case hasn't been thought about.

Thanks,
Brandon

On Fri, 2016-06-03 at 12:16 -0500, Darek Smigiel wrote:
> Hello,
> Doing reviews I noticed, that Liu Yong submitted a bug [1] where we
> have a problem with removing subnets.
> 
> In short: if tenant wants to delete network with subnets, where at
> least one of subnets is created by admin, he’s not able to do this.
> Liu also prepared bugfix for it [2], but now it’s starting to be much
> more complicated.
> 
> What is desired solution in this case?
> One of suggestions is to elevate context, remove all subnets and nuke
> everything. It can cause a problem, when one tenant can remove
> others’ tenant subnets.
> The other is to just show info to tenant, that he’s not allowed to
> delete network. But in the same time, it could be strange, that owner
> is not able to just get rid of *his* network and subnets.
> 
> If you have any opinions, suggestions, please feel free to share
> 
> [1] https://bugs.launchpad.net/neutron/+bug/1588228
> [2] https://review.openstack.org/#/c/324617/
> 
> 
> Darek
> _____________________________________________________________________
> _____
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubs
> cribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


More information about the OpenStack-dev mailing list