Hi,
Just to have all history and context in the mail thread also, a bug is in launchpad for this issue:
https://bugs.launchpad.net/neutron/+bug/2039464

Lajos (lajoskatona)

Satish Patel <satish.txt@gmail.com> ezt írta (időpont: 2023. okt. 17., K, 15:31):
Sławek,

I have verified and I do have those snippets that means my codes are patched. 

# cat /neutron-base-source/neutron-21.1.3.dev32/build/lib/neutron/policy.py


 project_id = target_dict.get('project_id')
            ctx = (context.Context(tenant_id=project_id) if project_id
                   else context.get_admin_context())
            plugin = directory.get_plugin()
            network = plugin.get_network(ctx, target_network_id)
            target_value = network.get(self.field)

On Tue, Oct 17, 2023 at 8:18 AM Satish Patel <satish.txt@gmail.com> wrote:
I will check but don’t you think it should be there because the patch submitted in 2019, I am running the zed release. 

I have already submitted new bug here:  https://bugs.launchpad.net/neutron/+bug/2039464



On Tue, Oct 17, 2023 at 4:57 AM Sławek Kapłoński <skaplons@redhat.com> wrote:

Hi,


Dnia poniedziałek, 16 października 2023 12:46:52 CEST Satish Patel pisze:

> Hi,

>

> My RBAC is set to “access_as_shared” on that network.

>

> On Mon, Oct 16, 2023 at 6:20 AM Rodolfo Alonso Hernandez <

> ralonsoh@redhat.com> wrote:

>

> > Hello Satish:

> >

> > Please check the network RBACs of network "public-network-1". Action

> > "access_as_external" is not the same as "access_as_shared". You should be

> > able to create this port with the second one, not the first.

> >

> > Regards.

> >

> > On Sun, Oct 15, 2023 at 11:35 PM Satish Patel <satish.txt@gmail.com>

> > wrote:

> >

> >> Folks,

> >>

> >> I am trying to give permission to end users to create fixed IP ports and

> >> attach to VMs but so far no luck.

> >>

> >> Release: Zed  (OVN based deployment)

> >>

> >> I have added following in policy.yml file in neutron server

> >>

> >> "create_port:fixed_ips": "rule:context_is_advsvc or rule:network_owner or

> >> rule:admin_only or rule:shared"

> >> "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or

> >> rule:network_owner or rule:admin_only or rule:shared"

> >> "create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or

> >> rule:network_owner or rule:admin_only or rule:shared"

> >>

> >> $ openstack port create --network public-network-1 --fixed-ip

> >> subnet=dba7a427-dccb-4a5a-a8e0-23fcda64666d,ip-address=xx.xx.xx.xx my-port1

> >> ForbiddenException: 403: Client Error for url:

> >> http://192.168.18.100:9696/v2.0/ports, (rule:create_port and

> >> (rule:create_port:fixed_ips and (rule:create_port:fixed_ips:subnet_id and

> >> rule:create_port:fixed_ips:ip_address))) is disallowed by policy

> >>

> >>

> >> I found some reference bug but not sure they are fixed or not:

> >> https://bugs.launchpad.net/neutron/+bug/1833455


Yes, fix for that is https://review.opendev.org/c/openstack/neutron/+/666816 and it should works fine if You have this fix already in Your deployment. If not, please open new LP bug for it.


> >>

> >

>



--

Slawek Kaplonski

Principal Software Engineer

Red Hat