On 5/2/25 11:23, Brian Haley wrote:
Hi,
On 5/2/25 8:36 AM, Nguyễn Hữu Khôi wrote:
Could we find a solution for this case? Because they own vlan networks Currently, I can create RBAC Policies to allow tenants using external networks.
I've read this thread a couple of times and I still don't exactly understand what the ask is from Neutron. This tenant "owns" a VLAN network and wants to integrate it and a range of IP addresses into Neutron as an external network?
Also, I don't recall any previous discussions that took place, maybe someone else on the Neutron team does though and can comment next week.
Thanks for replying. In Nova, we would like to remove a RBAC policy check we currently have for permission to attach to an external network [1]: def _check_external_network_attach(self, context, nets): """Check if attaching to external network is permitted.""" if not context.can(servers_policies.NETWORK_ATTACH_EXTERNAL, fatal=False): for net in nets: # Perform this check here rather than in validate_networks to # ensure the check is performed every time # allocate_for_instance is invoked if net.get('router:external') and not net.get('shared'): raise exception.ExternalNetworkAttachForbidden( network_uuid=net['id']) The permission defaults to admin-only. This creates what seems like an unnecessary extra requirement for operators to configure RBAC policy in Nova to let non-admins use external networks. The ask from Neutron is, "can you advise if it is safe for Nova to remove this RBAC policy check and defer all permission decisions about external networks to Neutron?" We have expected the answer to this question is "yes" but wanted to make sure in case there are any gotchas that would happen if we remove it. -melwitt [1] https://github.com/openstack/nova/blob/a5bcaf69b1a80d4d02fe092900471a6e7a28e...
[...]