Hi, Dnia poniedziałek, 16 października 2023 12:46:52 CEST Satish Patel pisze:
Hi,
My RBAC is set to “access_as_shared” on that network.
On Mon, Oct 16, 2023 at 6:20 AM Rodolfo Alonso Hernandez < ralonsoh@redhat.com> wrote:
Hello Satish:
Please check the network RBACs of network "public-network-1". Action "access_as_external" is not the same as "access_as_shared". You should be able to create this port with the second one, not the first.
Regards.
On Sun, Oct 15, 2023 at 11:35 PM Satish Patel <satish.txt@gmail.com> wrote:
Folks,
I am trying to give permission to end users to create fixed IP ports and attach to VMs but so far no luck.
Release: Zed (OVN based deployment)
I have added following in policy.yml file in neutron server
"create_port:fixed_ips": "rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared" "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared" "create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared"
$ openstack port create --network public-network-1 --fixed-ip subnet=dba7a427-dccb-4a5a-a8e0-23fcda64666d,ip-address=xx.xx.xx.xx my-port1 ForbiddenException: 403: Client Error for url: http://192.168.18.100:9696/v2.0/ports, (rule:create_port and (rule:create_port:fixed_ips and (rule:create_port:fixed_ips:subnet_id and rule:create_port:fixed_ips:ip_address))) is disallowed by policy
I found some reference bug but not sure they are fixed or not: https://bugs.launchpad.net/neutron/+bug/1833455
Yes, fix for that is https://review.opendev.org/c/openstack/neutron/+/666816 and it should works fine if You have this fix already in Your deployment. If not, please open new LP bug for it.
-- Slawek Kaplonski Principal Software Engineer Red Hat