[victoria][ops][horizon][neutron] Network not available to use by Members in Horizon
All; We just discovered, this morning, that Members of one of our projects can't see the project's network, in order to use it in Instance creation. If an Administrator creates a Port, the Member user can then use it to create an Instance. Most of our activity to this point has been by Administrators, this is the first time we've opened a project up to users with the Member level. Is this expected behavior? Thank you, Dominic L. Hilsbos, MBA Vice President - Information Technology Perform Air International Inc. DHilsbos@PerformAir.com www.PerformAir.com
Hi, On piątek, 13 sierpnia 2021 18:25:03 CEST DHilsbos@performair.com wrote:
All;
We just discovered, this morning, that Members of one of our projects can't see the project's network, in order to use it in Instance creation. If an Administrator creates a Port, the Member user can then use it to create an Instance.
Most of our activity to this point has been by Administrators, this is the first time we've opened a project up to users with the Member level.
Is this expected behavior?
Please check what project is owner of the network and how are Your policies configured. By default owner (project) of the network should always see it and be able to create port in own network.
Thank you,
Dominic L. Hilsbos, MBA Vice President - Information Technology Perform Air International Inc. DHilsbos@PerformAir.com www.PerformAir.com
-- Slawek Kaplonski Principal Software Engineer Red Hat
All; Thank you for your responses. I probably should have mentioned that the network in question is an external, provider network. Some additional Googling indicated that such networks get an RBAC rule (use-as-external) which limits what non-admins can do with them, even against the "owning" project. I added a countering RBAC rule (use-as-shared) which targets only the project in question, and that resolved the observer issues. Thank you, Dominic L. Hilsbos, MBA Vice President – Information Technology Perform Air International Inc. DHilsbos@PerformAir.com www.PerformAir.com -----Original Message----- From: Slawek Kaplonski [mailto:skaplons@redhat.com] Sent: Monday, August 16, 2021 12:53 AM To: openstack-discuss@lists.openstack.org Cc: Dominic Hilsbos Subject: Re: [victoria][ops][horizon][neutron] Network not available to use by Members in Horizon Hi, On piątek, 13 sierpnia 2021 18:25:03 CEST DHilsbos@performair.com wrote:
All;
We just discovered, this morning, that Members of one of our projects can't see the project's network, in order to use it in Instance creation. If an Administrator creates a Port, the Member user can then use it to create an Instance.
Most of our activity to this point has been by Administrators, this is the first time we've opened a project up to users with the Member level.
Is this expected behavior?
Please check what project is owner of the network and how are Your policies configured. By default owner (project) of the network should always see it and be able to create port in own network.
Thank you,
Dominic L. Hilsbos, MBA Vice President - Information Technology Perform Air International Inc. DHilsbos@PerformAir.com www.PerformAir.com
-- Slawek Kaplonski Principal Software Engineer Red Hat
participants (2)
-
DHilsbos@performair.com
-
Slawek Kaplonski