Hello Maximilian:

By definition, an external network is a shared network with the addition of being external (can be used as router gateway). The subnets inherit the RBAC properties and thus all subnets belonging to a shared (or external) network are visible to the user who has access to this network. The previous behaviour, where the subnets of an external network were hidden to the non-owner user, was incorrect.

In any case, you can implement your own local policies for "get_network"/"get_networks", limiting them to the network owner or the admin user.

Regards.

On Thu, Jul 10, 2025 at 1:40 PM Maximilian Stinsky-Damke <Maximilian.Stinsky-Damke@wiit.cloud> wrote:

Greetings,

Since Neutron 2024.2 (25.0.0), the subnet-external-network extension is loaded by default. This causes subnetworks that are part of external networks to be visible to non-admin users.

We found this behavior a bit confusing for regular users, as those subnetworks are often not usable for spawning VMs or creating load balancers. Depending on the number of external subnetworks, dashboards like Networks and Load Balancer Create in Octavia can become cluttered with entries that are effectively unusable for non-admins, as they are intended only for routers and floating IPs.

I’ve reviewed the patches mentioned in [1], and as far as I can tell, the new extension is enabled by default with no apparent way to disable it or revert to the previous behavior.

Am I missing something? Is there a way to prevent external subnetworks from being shown to non-admin users?

[1] https://bugs.launchpad.net/neutron/+bug/2051831

Thanks in advance,

Best regards,

Max