Hi,

  Tested the NET_OWNER_MEMBER with the syntax below in my neutron/policy.conf. "Create Port" disappears for public network but unfortunately also for networks which my test account has created.
  
  create_port: "(role: admin) or (rule:network_owner)"

  With rule below I managed to restrict the public network port creation (The create port button is still shown in Horizon, but port create is not allowed) and allow the port creation to networks the user has created, but still the "Launch instance" can reserve IP from the public network. I assume Launch instance is not using create_port from neutron but something else? I do not know how to restrict Nova not to create new instance like in neutron.

  create_port: "rule:admin_or_owner or rule:project_id:%(network:project_id)s"

  Thanks for help.  



 

On Mon, 25 Mar 2024 at 10:47, Sławek Kapłoński <skaplons@redhat.com> wrote:

Hi,


Dnia środa, 20 marca 2024 20:32:07 CET Mika Saari pisze:

> Hi,

>

>   I have been trying to understand what I really want myself here.

> Basically currently I do have two goals.

>

>   1) Floating IP port forwarding can be created by project member

>   2) Only admin can create ports to network/subnet "public" which is

> external network. But the network still must be available for reading for

> different projects than "admin" project.

>

>   My current policy,yaml

>   create_floatingip_port_forwarding: (role:member)

>   get_floatingip_port_forwarding: (role:member)

>   update_floatingip_port_forwarding: (role:member)

>   delete_floatingip_port_forwarding: (role:member)

>

>   With this change I can fullfill the first goal. Now member can add port

> forwarding

>

>   The second goal I haven't still been able to fullfill. Admin created the

> public network and subnet. When I login with different account to test

> project, the member can create a port to public (external) network.

> If I try next rule:

>   (rule:admin_only) or (role:member and rule:network_owner)

>

>   The port creation is now disabled but I can not add ports to networks

> which has been created by my test account to my test project. So basically

> I just would like to restrict create_port to the public network, but still

> the project member (test user) could create ports to networks which member

> has created him/herself.


Please check rule NET_OWNER_MEMBER which is defined in https://github.com/openstack/neutron/blob/master/neutron/conf/policies/base.py#L70

IIUC this should be used by you in the 'create_port' policy.


>

>   Thanks a lot!

>

> On Tue, 12 Mar 2024 at 10:58, Sławek Kapłoński <skaplons@redhat.com> wrote:

>

> > Hi,

> >

> > Dnia sobota, 9 marca 2024 10:05:03 CET Mika Saari pisze:

> > > Hi,

> > >

> > >   I am currently testing kolla-ansible using the latest release. During

> > the

> > > creation of an external/provider network ("public"), I have observed

> > that a

> > > non-admin project ("test") can view the network and allocate IP addresses

> > > for routers, for example. I would like to restrict this behavior so that

> > > the external network is listable (openstack network list), but IP

> > > allocation is denied.

> > >

> > >   I have experimented with RBAC rules, creating a new role ("view-only")

> > > and assigning it to a user ("user") in the "test" project. I modified the

> > > policy.yaml files in both Neutron and Horizon as outlined in the

> > > documentation (

> > >

> > https://docs.openstack.org/kolla-ansible/latest/admin/advanced-configuration.html#openstack-policy-customisation

> > > ).

> > >

> > >   Below are the snippets from my neutron/policy.yaml and

> > > horizon/neutron_policy.yaml files created following the sample

> > >

> > https://docs.openstack.org/neutron/2023.2/configuration/policy-sample.html

> > >

> > > policy.yaml

> > > get_network: "(rule:admin_only) or (role:view_only)"

> > > get_subnet: "(rule:admin_only) or (role:view_only)"

> > > get_port: "(rule:admin_only) or (role:view_only)"

> > > get_router: "(rule:admin_only) or (role:view_only)"

> > >

> > > neutron_policy.yaml

> > > get_network: "(rule:admin_only) or (role:view_only)"

> > > get_subnet: "(rule:admin_only) or (role:view_only)"

> > > get_port: "(rule:admin_only) or (role:view_only)"

> > > get_router: "(rule:admin_only) or (role:view_only)"

> > >

> > > After deploying Neutron and Horizon, I adjusted the default RBAC policy

> > so

> > > that the "External Network" action only affects the "admin" project, not

> > > "*". While the admin can still see the public network, the test project

> > > user with the "view_only" role cannot see the "public" network. Enabling

> > > the RBAC policy for the "test" project allows the network to be visible,

> > > but it also enables the member of the project ("user") to reserve IP

> > > addresses for network components.

> > >

> > >   I'm seeking guidance on where to find more information about policies

> > to

> > > achieve the desired functionality. Should I redeploy all the services, or

> > > is depolying Neutron and Horizon sufficient? Am I on the right track with

> > > my policy tests, or is there a simpler way to achieve this functionality?

> > >

> > > Thank you very much for your assistance!

> > >

> >

> > I'm not 100% sure what You want to achieve but first of all there is

> > "reader" role and policies for reader role implemented in neutron already.

> > This role allows only to see things like networks but not create anything

> > there. Would it be enough for You? If not, can You maybe share Your whole

> > policy.yaml file from Neutron? I will try to apply it on my dev env and try

> > to check it then.

> >

> > Also, please not that if You will assign second role for same user, it

> > doesn't mean that previous one will not work at all. Both roles will be

> > assigned to that user so if he has e.g. "member" role still, he will be

> > able to do everything what "member" can do.

> >

> > --

> > Slawek Kaplonski

> > Principal Software Engineer

> > Red Hat

>



--

Slawek Kaplonski

Principal Software Engineer

Red Hat