Hi,


Dnia środa, 20 marca 2024 20:32:07 CET Mika Saari pisze:

> Hi,

>

>   I have been trying to understand what I really want myself here.

> Basically currently I do have two goals.

>

>   1) Floating IP port forwarding can be created by project member

>   2) Only admin can create ports to network/subnet "public" which is

> external network. But the network still must be available for reading for

> different projects than "admin" project.

>

>   My current policy,yaml

>   create_floatingip_port_forwarding: (role:member)

>   get_floatingip_port_forwarding: (role:member)

>   update_floatingip_port_forwarding: (role:member)

>   delete_floatingip_port_forwarding: (role:member)

>

>   With this change I can fullfill the first goal. Now member can add port

> forwarding

>

>   The second goal I haven't still been able to fullfill. Admin created the

> public network and subnet. When I login with different account to test

> project, the member can create a port to public (external) network.

> If I try next rule:

>   (rule:admin_only) or (role:member and rule:network_owner)

>

>   The port creation is now disabled but I can not add ports to networks

> which has been created by my test account to my test project. So basically

> I just would like to restrict create_port to the public network, but still

> the project member (test user) could create ports to networks which member

> has created him/herself.


Please check rule NET_OWNER_MEMBER which is defined in https://github.com/openstack/neutron/blob/master/neutron/conf/policies/base.py#L70

IIUC this should be used by you in the 'create_port' policy.


>

>   Thanks a lot!

>

> On Tue, 12 Mar 2024 at 10:58, Sławek Kapłoński <skaplons@redhat.com> wrote:

>

> > Hi,

> >

> > Dnia sobota, 9 marca 2024 10:05:03 CET Mika Saari pisze:

> > > Hi,

> > >

> > >   I am currently testing kolla-ansible using the latest release. During

> > the

> > > creation of an external/provider network ("public"), I have observed

> > that a

> > > non-admin project ("test") can view the network and allocate IP addresses

> > > for routers, for example. I would like to restrict this behavior so that

> > > the external network is listable (openstack network list), but IP

> > > allocation is denied.

> > >

> > >   I have experimented with RBAC rules, creating a new role ("view-only")

> > > and assigning it to a user ("user") in the "test" project. I modified the

> > > policy.yaml files in both Neutron and Horizon as outlined in the

> > > documentation (

> > >

> > https://docs.openstack.org/kolla-ansible/latest/admin/advanced-configuration.html#openstack-policy-customisation

> > > ).

> > >

> > >   Below are the snippets from my neutron/policy.yaml and

> > > horizon/neutron_policy.yaml files created following the sample

> > >

> > https://docs.openstack.org/neutron/2023.2/configuration/policy-sample.html

> > >

> > > policy.yaml

> > > get_network: "(rule:admin_only) or (role:view_only)"

> > > get_subnet: "(rule:admin_only) or (role:view_only)"

> > > get_port: "(rule:admin_only) or (role:view_only)"

> > > get_router: "(rule:admin_only) or (role:view_only)"

> > >

> > > neutron_policy.yaml

> > > get_network: "(rule:admin_only) or (role:view_only)"

> > > get_subnet: "(rule:admin_only) or (role:view_only)"

> > > get_port: "(rule:admin_only) or (role:view_only)"

> > > get_router: "(rule:admin_only) or (role:view_only)"

> > >

> > > After deploying Neutron and Horizon, I adjusted the default RBAC policy

> > so

> > > that the "External Network" action only affects the "admin" project, not

> > > "*". While the admin can still see the public network, the test project

> > > user with the "view_only" role cannot see the "public" network. Enabling

> > > the RBAC policy for the "test" project allows the network to be visible,

> > > but it also enables the member of the project ("user") to reserve IP

> > > addresses for network components.

> > >

> > >   I'm seeking guidance on where to find more information about policies

> > to

> > > achieve the desired functionality. Should I redeploy all the services, or

> > > is depolying Neutron and Horizon sufficient? Am I on the right track with

> > > my policy tests, or is there a simpler way to achieve this functionality?

> > >

> > > Thank you very much for your assistance!

> > >

> >

> > I'm not 100% sure what You want to achieve but first of all there is

> > "reader" role and policies for reader role implemented in neutron already.

> > This role allows only to see things like networks but not create anything

> > there. Would it be enough for You? If not, can You maybe share Your whole

> > policy.yaml file from Neutron? I will try to apply it on my dev env and try

> > to check it then.

> >

> > Also, please not that if You will assign second role for same user, it

> > doesn't mean that previous one will not work at all. Both roles will be

> > assigned to that user so if he has e.g. "member" role still, he will be

> > able to do everything what "member" can do.

> >

> > --

> > Slawek Kaplonski

> > Principal Software Engineer

> > Red Hat

>



--

Slawek Kaplonski

Principal Software Engineer

Red Hat