Brendan Shephard
Senior Software Engineer
193 N Quay
Brisbane City QLD 4000
On Thu, 2022-09-15 at 08:59 +1000, Brendan Shephard wrote:
> Hey Albert,
>
> The policy is the default Neutron policy in OpenStack Train. These can indeed be changed and customised, but my assumption is that you haven’t created any custom policies. Horizon uses the default for each service unless it’s been overwritten.
policy is defiend server side not client side so it applie equially to all users of the api
so the behavior will be the same for horizon or the cli
if you ever find a delta because horizon say used a differnt token to make the request that is a securty vulnerablity in horizon and should be
reported privatly to the horizon core team :)
>
> If I create a non-admin user and try to change security groups I also get the same error:
> 2022-09-14 22:01:33,370 64 INFO openstack_dashboard.dashboards.project.networks.ports.workflows Failed to update port 4df563ce-5464-4f7d-8aaf-c5496cdaefda: ((rule:update_port and rule:update_port:binding:vnic_type) and rule:update_port:port_security_enabled) is disallowed by policy
>
> And I can reproduce your same scenario ff I try via the CLI using these steps:
> 1. Add entry for new user to clouds.yaml file:
> bne-home-test:
> auth:
> auth_url: https://openstack.bne-home.net:13000
> password: "test"
> project_domain_name: Default
> project_name: bne-home
> user_domain_name: Default
> username: test
> cacert: ~/.certs/overcloud-cacert.pem
> identity_api_version: '3'
> region_name: regionOne
> volume_api_version: ‘3'
>
> 2. export OS_CLOUD=bne-home-test
>
> 3. Try to remove security group from port:
> ❯ openstack server show test-lb-net -c security_groups -c addresses -f yaml
> addresses:
> lb-mgmt-net:
> - 172.24.0.90
> vlan4-infra:
> - 172.20.13.175
> security_groups:
> - name: management-bne
the security group listed in nova is the default security group that will be used by all port create by nova.
it only applie to ports created by nova and not ones that are passed in using the uuid of a precreate port.
you shoudl in general not mix managing security groups via nova and neutron.
horizon shoudl prefer to manage security groups only via neutron if it can.
>
> ❯ openstack port show 4df563ce-5464-4f7d-8aaf-c5496cdaefda -c fixed_ips -c port_security_enabled -c security_group_ids -f yaml
> fixed_ips:
> - ip_address: 172.20.13.175
> subnet_id: 71aad09a-3e7b-4399-97bf-075f066f6713
> port_security_enabled: true
> security_group_ids:
> - a3ae6e20-67df-4a72-9d5b-cc21ad87464f
>
> ❯ openstack port unset --security-group a3ae6e20-67df-4a72-9d5b-cc21ad87464f 4df563ce-5464-4f7d-8aaf-c5496cdaefda
> ❯ openstack port show 4df563ce-5464-4f7d-8aaf-c5496cdaefda -c fixed_ips -c port_security_enabled -c security_group_ids -f yaml
> fixed_ips:
> - ip_address: 172.20.13.175
> subnet_id: 71aad09a-3e7b-4399-97bf-075f066f6713
> port_security_enabled: true
> security_group_ids: []
>
>
> Verify that I’m definitely not a admin user:
> ❯ openstack server list --all
> Policy doesn't allow os_compute_api:servers:detail:get_all_tenants to be performed. (HTTP 403) (Request-ID: req-75c19210-ad91-471f-b500-e1f3482825f8)
>
>
> I don’t think this user should be allowed to do that via the CLI either. So that could be a bug there. The request in the Neutron server.log when I do it via the CLI:
>
>
user can add or remove security groups without being and admin including removing all securtiy groups thats intended behavior and should not require
admin.
are you implying that horizon is doing "openstack server list --all" --all is short for --all-tenants.
outside of the admin tab in horizon horizon would never pass the equivlent of --all to the nova api.
> 2022-09-14 22:19:12.987 21 INFO neutron.wsgi [None req-f99c4c15-003c-4f7e-9e41-9100daa2a566 781362d053ee4708a21430d3a825795a 3ff28fc7abf742a6b7a0d016771dee49 - - default default] 192.168.1.17,172.16.2.85 "PUT /v2.0/ports/4df563ce-5464-4f7d-8aaf-c5496cdaefda HTTP/1.1" status: 200 len: 1102 time: 0.4449480
>
> VS Horizon:
> 2022-09-14 22:20:23.087 20 INFO neutron.wsgi [None req-4c284690-eb69-43df-b205-4953a88ab87c 781362d053ee4708a21430d3a825795a 3ff28fc7abf742a6b7a0d016771dee49 - - default default] 172.20.10.25,172.16.2.85 "PUT /v2.0/ports/4df563ce-5464-4f7d-8aaf-c5496cdaefda HTTP/1.1" status: 403 len: 386 time: 0.2209103
>
> I have raised a upstream bug for this since I can still reproduce it on the latest version of OpenStack:
> https://bugs.launchpad.net/neutron/+bug/1989627
> Bug #1989627 “Policy enforcement variance between openstackcli a...” : Bugs : neutron
> bugs.launchpad.net
policy is enfoced on the nova/neutron api it cant behave differntly for horizon unless horizon is useing the wrong token.
i.e. not he users token.
>
>
> Brendan Shephard
> Senior Software Engineer
> Brisbane, Australia
>
>
>
> > On 15 Sep 2022, at 2:25 am, Albert Braden <ozzzo@yahoo.com> wrote:
> >
> > Hi Brendan, thanks for offering to help! I'll contact you privately with info about some languishing cases.
> >
> > Here's the policy line:
> > "update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner"
> >
> > Does this policy only affect Horizon? I'm using the same non-admin user for both CLI and Horizon, on a project where that user is a member. The network was created by the admin user.
> > On Wednesday, September 14, 2022, 10:41:31 AM EDT, Brendan Shephard <bshephar@redhat.com> wrote:
> >
> >
> > Hi Albert,
> >
> > While I may not be the best person to address your Horizon concern. I can probably help you with your Red Hat support concerns. If you had any issues you wanted addressed, or feedback you wanted to provide. Feel free to give me a yell.
> >
> > Looking at your Horizon issue though. It seems the default policy file is what prevents you from updating that port. We can see the default policy like this for example:
> >
> > [root@controller-2 ~]# podman exec -it neutron_api oslopolicy-policy-generator --namespace neutron | grep "update_port:port_security_enabled"
> > "update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner"
> >
> > When you execute the command via the CLI, which user are you using? Are you just sourcing the overcloudrc file, or using export OS_CLOUD=overcloud. If that’s the case then you would be using the admin user on the CLI, but probably a different user when logging into Horizon.
> >
> > I too would suggest opening a support case. It sounds like you have previously had a negative experience with that. If you want to open a new one and share the case number with me, I can follow up on that for you. As someone who personally knows a lot of the RHOSP Technical Support team from around the world. I’m confident we can right whatever wrong may have occurred there.
> >
> > Let me know if I can help in any way.
> >
> > Regards,
> >
> > Brendan Shephard
> > Senior Software Engineer
> > Brisbane, Australia
> >
> >
> >
> > > On 14 Sep 2022, at 10:36 pm, Albert Braden <ozzzo@yahoo.com> wrote:
> > >
> > > On CLI I can type "openstack port set --no-security-group <ID>" to remove all security groups. In Horizon, the equivalent operation would be using the - button to remove all groups and then clicking "Update." Using the + button would be the equivalent of typing "openstack port set --security-group <group ID>". There doesn't seem to be a way to remove a single security group via CLI; I think the only way would be to set --no-security-group and then add back the desired groups.
> > >
> > > I can successfully add security groups to a port via CLI, or I can remove all security groups. If I go into Horizon and try these operations then I get the error when I click "Update." So it appears that security groups can be added and removed, with port security set, via CLI. We only see the failure when we try to do it via Horizon.
> > >
> > > Regarding RHOSP support; I assume that you are joking, or maybe haven't experienced the support that they offer.
> > > On Tuesday, September 13, 2022, 06:30:11 PM EDT, Laurent Dumont <laurentfdumont@gmail.com> wrote:
> > >
> > >
> > > If you are running RHOSP, you might have a support contract with Red Hat?
> > >
> > > Are you trying to remove all the security groups from a port that has port_security enabled?
> > >
> > > On Tue, Sep 13, 2022 at 11:53 AM Albert Braden <ozzzo@yahoo.com <mailto:ozzzo@yahoo.com>> wrote:
> > > Unfortunately we are running RHOSP in which Train is the latest and greatest. This is what we see in horizon.log:
> > >
> > > [Tue Sep 13 15:28:15.362703 2022] [wsgi:error] [pid 27:tid 139683266553600] [remote 10.232.233.11:57498 <http://10.232.233.11:57498/>] Failed to update port 08fdbb97-4896-4afb-9390-41481ff27cac: ((rule:update_port and rule:update_port:binding:vnic_type) and rule:update_port:port_security_enabled) is disallowed by policy
> > > On Friday, September 9, 2022, 10:59:34 AM EDT, Pierre Riteau <pierre@stackhpc.com <mailto:pierre@stackhpc.com>> wrote:
> > >
> > >
> > > Hello,
> > >
> > > This is more likely to be a Horizon bug than an issue with Kolla itself, since Kolla doesn't change much from the default configuration.
> > >
> > > You should check Horizon logs in /var/log/kolla/horizon to find the error. I would also encourage you to upgrade to a more recent release, since Train has been marked as End of Life in Kolla recently.
> > >
> > > Cheers,
> > > Pierre Riteau (priteau)
> > >
> > > On Fri, 9 Sept 2022 at 15:41, Albert Braden <ozzzo@yahoo.com <mailto:ozzzo@yahoo.com>> wrote:
> > > We're running kolla train and we're seeing an apparent bug when we try to add or remove security groups on a port. We see error "Failed to update port <ID>". It works fine in CLI; we only see this in Horizon. Is this a known bug, or are we doing something wrong?
> > >
> >
>
> Hey Albert,
>
> The policy is the default Neutron policy in OpenStack Train. These can indeed be changed and customised, but my assumption is that you haven’t created any custom policies. Horizon uses the default for each service unless it’s been overwritten.
>
> If I create a non-admin user and try to change security groups I also get the same error:
> 2022-09-14 22:01:33,370 64 INFO openstack_dashboard.dashboards.project.networks.ports.workflows Failed to update port 4df563ce-5464-4f7d-8aaf-c5496cdaefda: ((rule:update_port and rule:update_port:binding:vnic_type) and rule:update_port:port_security_enabled) is disallowed by policy
>
> And I can reproduce your same scenario ff I try via the CLI using these steps:
> 1. Add entry for new user to clouds.yaml file:
> bne-home-test:
> auth:
> auth_url: https://openstack.bne-home.net:13000
> password: "test"
> project_domain_name: Default
> project_name: bne-home
> user_domain_name: Default
> username: test
> cacert: ~/.certs/overcloud-cacert.pem
> identity_api_version: '3'
> region_name: regionOne
> volume_api_version: ‘3'
>
> 2. export OS_CLOUD=bne-home-test
>
> 3. Try to remove security group from port:
> ❯ openstack server show test-lb-net -c security_groups -c addresses -f yaml
> addresses:
> lb-mgmt-net:
> - 172.24.0.90
> vlan4-infra:
> - 172.20.13.175
> security_groups:
> - name: management-bne
>
> ❯ openstack port show 4df563ce-5464-4f7d-8aaf-c5496cdaefda -c fixed_ips -c port_security_enabled -c security_group_ids -f yaml
> fixed_ips:
> - ip_address: 172.20.13.175
> subnet_id: 71aad09a-3e7b-4399-97bf-075f066f6713
> port_security_enabled: true
> security_group_ids:
> - a3ae6e20-67df-4a72-9d5b-cc21ad87464f
>
> ❯ openstack port unset --security-group a3ae6e20-67df-4a72-9d5b-cc21ad87464f 4df563ce-5464-4f7d-8aaf-c5496cdaefda
> ❯ openstack port show 4df563ce-5464-4f7d-8aaf-c5496cdaefda -c fixed_ips -c port_security_enabled -c security_group_ids -f yaml
> fixed_ips:
> - ip_address: 172.20.13.175
> subnet_id: 71aad09a-3e7b-4399-97bf-075f066f6713
> port_security_enabled: true
> security_group_ids: []
>
>
> Verify that I’m definitely not a admin user:
> ❯ openstack server list --all
> Policy doesn't allow os_compute_api:servers:detail:get_all_tenants to be performed. (HTTP 403) (Request-ID: req-75c19210-ad91-471f-b500-e1f3482825f8)
>
>
> I don’t think this user should be allowed to do that via the CLI either. So that could be a bug there. The request in the Neutron server.log when I do it via the CLI:
> 2022-09-14 22:19:12.987 21 INFO neutron.wsgi [None req-f99c4c15-003c-4f7e-9e41-9100daa2a566 781362d053ee4708a21430d3a825795a 3ff28fc7abf742a6b7a0d016771dee49 - - default default] 192.168.1.17,172.16.2.85 "PUT /v2.0/ports/4df563ce-5464-4f7d-8aaf-c5496cdaefda HTTP/1.1" status: 200 len: 1102 time: 0.4449480
>
> VS Horizon:
> 2022-09-14 22:20:23.087 20 INFO neutron.wsgi [None req-4c284690-eb69-43df-b205-4953a88ab87c 781362d053ee4708a21430d3a825795a 3ff28fc7abf742a6b7a0d016771dee49 - - default default] 172.20.10.25,172.16.2.85 "PUT /v2.0/ports/4df563ce-5464-4f7d-8aaf-c5496cdaefda HTTP/1.1" status: 403 len: 386 time: 0.2209103
>
> I have raised a upstream bug for this since I can still reproduce it on the latest version of OpenStack:
> launchpad-og-image.pngBug #1989627 “Policy enforcement variance between openstackcli a...” : Bugs : neutron
> bugs.launchpad.net
>
>
>
> Brendan Shephard
> Senior Software Engineer
> Brisbane, Australia
>
>
>
> > On 15 Sep 2022, at 2:25 am, Albert Braden <ozzzo@yahoo.com> wrote:
> >
> > Hi Brendan, thanks for offering to help! I'll contact you privately with info about some languishing cases.
> >
> > Here's the policy line:
> > "update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner"
> >
> > Does this policy only affect Horizon? I'm using the same non-admin user for both CLI and Horizon, on a project where that user is a member. The network was created by the admin user.
> > On Wednesday, September 14, 2022, 10:41:31 AM EDT, Brendan Shephard <bshephar@redhat.com> wrote:
> >
> >
> > Hi Albert,
> >
> > While I may not be the best person to address your Horizon concern. I can probably help you with your Red Hat support concerns. If you had any issues you wanted addressed, or feedback you wanted to provide. Feel free to give me a yell.
> >
> > Looking at your Horizon issue though. It seems the default policy file is what prevents you from updating that port. We can see the default policy like this for example:
> >
> > [root@controller-2 ~]# podman exec -it neutron_api oslopolicy-policy-generator --namespace neutron | grep "update_port:port_security_enabled"
> > "update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner"
> >
> > When you execute the command via the CLI, which user are you using? Are you just sourcing the overcloudrc file, or using export OS_CLOUD=overcloud. If that’s the case then you would be using the admin user on the CLI, but probably a different user when logging into Horizon.
> >
> > I too would suggest opening a support case. It sounds like you have previously had a negative experience with that. If you want to open a new one and share the case number with me, I can follow up on that for you. As someone who personally knows a lot of the RHOSP Technical Support team from around the world. I’m confident we can right whatever wrong may have occurred there.
> >
> > Let me know if I can help in any way.
> >
> > Regards,
> >
> > Brendan Shephard
> > Senior Software Engineer
> > Brisbane, Australia
> >
> >
> >
> > > On 14 Sep 2022, at 10:36 pm, Albert Braden <ozzzo@yahoo.com> wrote:
> > >
> > > On CLI I can type "openstack port set --no-security-group <ID>" to remove all security groups. In Horizon, the equivalent operation would be using the - button to remove all groups and then clicking "Update." Using the + button would be the equivalent of typing "openstack port set --security-group <group ID>". There doesn't seem to be a way to remove a single security group via CLI; I think the only way would be to set --no-security-group and then add back the desired groups.
> > >
> > > I can successfully add security groups to a port via CLI, or I can remove all security groups. If I go into Horizon and try these operations then I get the error when I click "Update." So it appears that security groups can be added and removed, with port security set, via CLI. We only see the failure when we try to do it via Horizon.
> > >
> > > Regarding RHOSP support; I assume that you are joking, or maybe haven't experienced the support that they offer.
> > > On Tuesday, September 13, 2022, 06:30:11 PM EDT, Laurent Dumont <laurentfdumont@gmail.com> wrote:
> > >
> > >
> > > If you are running RHOSP, you might have a support contract with Red Hat?
> > >
> > > Are you trying to remove all the security groups from a port that has port_security enabled?
> > >
> > > On Tue, Sep 13, 2022 at 11:53 AM Albert Braden <ozzzo@yahoo.com> wrote:
> > > > Unfortunately we are running RHOSP in which Train is the latest and greatest. This is what we see in horizon.log:
> > > >
> > > > [Tue Sep 13 15:28:15.362703 2022] [wsgi:error] [pid 27:tid 139683266553600] [remote 10.232.233.11:57498] Failed to update port 08fdbb97-4896-4afb-9390-41481ff27cac: ((rule:update_port and rule:update_port:binding:vnic_type) and rule:update_port:port_security_enabled) is disallowed by policy
> > > > On Friday, September 9, 2022, 10:59:34 AM EDT, Pierre Riteau <pierre@stackhpc.com> wrote:
> > > >
> > > >
> > > > Hello,
> > > >
> > > > This is more likely to be a Horizon bug than an issue with Kolla itself, since Kolla doesn't change much from the default configuration.
> > > >
> > > > You should check Horizon logs in /var/log/kolla/horizon to find the error. I would also encourage you to upgrade to a more recent release, since Train has been marked as End of Life in Kolla recently.
> > > >
> > > > Cheers,
> > > > Pierre Riteau (priteau)
> > > >
> > > > On Fri, 9 Sept 2022 at 15:41, Albert Braden <ozzzo@yahoo.com> wrote:
> > > > > We're running kolla train and we're seeing an apparent bug when we try to add or remove security groups on a port. We see error "Failed to update port <ID>". It works fine in CLI; we only see this in Horizon. Is this a known bug, or are we doing something wrong?
> > > > >
> >
>