Hi,
Dnia poniedziałek, 16 października 2023 12:46:52 CEST Satish Patel pisze:
> Hi,
>
> My RBAC is set to “access_as_shared” on that network.
>
> On Mon, Oct 16, 2023 at 6:20 AM Rodolfo Alonso Hernandez <
> ralonsoh@redhat.com> wrote:
>
> > Hello Satish:
> >
> > Please check the network RBACs of network "public-network-1". Action
> > "access_as_external" is not the same as "access_as_shared". You should be
> > able to create this port with the second one, not the first.
> >
> > Regards.
> >
> > On Sun, Oct 15, 2023 at 11:35 PM Satish Patel <satish.txt@gmail.com>
> > wrote:
> >
> >> Folks,
> >>
> >> I am trying to give permission to end users to create fixed IP ports and
> >> attach to VMs but so far no luck.
> >>
> >> Release: Zed (OVN based deployment)
> >>
> >> I have added following in policy.yml file in neutron server
> >>
> >> "create_port:fixed_ips": "rule:context_is_advsvc or rule:network_owner or
> >> rule:admin_only or rule:shared"
> >> "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or
> >> rule:network_owner or rule:admin_only or rule:shared"
> >> "create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or
> >> rule:network_owner or rule:admin_only or rule:shared"
> >>
> >> $ openstack port create --network public-network-1 --fixed-ip
> >> subnet=dba7a427-dccb-4a5a-a8e0-23fcda64666d,ip-address=xx.xx.xx.xx my-port1
> >> ForbiddenException: 403: Client Error for url:
> >> http://192.168.18.100:9696/v2.0/ports, (rule:create_port and
> >> (rule:create_port:fixed_ips and (rule:create_port:fixed_ips:subnet_id and
> >> rule:create_port:fixed_ips:ip_address))) is disallowed by policy
> >>
> >>
> >> I found some reference bug but not sure they are fixed or not:
> >> https://bugs.launchpad.net/neutron/+bug/1833455
Yes, fix for that is https://review.opendev.org/c/openstack/neutron/+/666816 and it should works fine if You have this fix already in Your deployment. If not, please open new LP bug for it.
> >>
> >
>
--
Slawek Kaplonski
Principal Software Engineer
Red Hat