[neutron] create_port with fixed_Ips is disallowed by policy
Folks, I am trying to give permission to end users to create fixed IP ports and attach to VMs but so far no luck. Release: Zed (OVN based deployment) I have added following in policy.yml file in neutron server "create_port:fixed_ips": "rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared" "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared" "create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared" $ openstack port create --network public-network-1 --fixed-ip subnet=dba7a427-dccb-4a5a-a8e0-23fcda64666d,ip-address=xx.xx.xx.xx my-port1 ForbiddenException: 403: Client Error for url: http://192.168.18.100:9696/v2.0/ports, (rule:create_port and (rule:create_port:fixed_ips and (rule:create_port:fixed_ips:subnet_id and rule:create_port:fixed_ips:ip_address))) is disallowed by policy I found some reference bug but not sure they are fixed or not: https://bugs.launchpad.net/neutron/+bug/1833455
Hello Satish: Please check the network RBACs of network "public-network-1". Action "access_as_external" is not the same as "access_as_shared". You should be able to create this port with the second one, not the first. Regards. On Sun, Oct 15, 2023 at 11:35 PM Satish Patel <satish.txt@gmail.com> wrote:
Folks,
I am trying to give permission to end users to create fixed IP ports and attach to VMs but so far no luck.
Release: Zed (OVN based deployment)
I have added following in policy.yml file in neutron server
"create_port:fixed_ips": "rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared" "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared" "create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared"
$ openstack port create --network public-network-1 --fixed-ip subnet=dba7a427-dccb-4a5a-a8e0-23fcda64666d,ip-address=xx.xx.xx.xx my-port1 ForbiddenException: 403: Client Error for url: http://192.168.18.100:9696/v2.0/ports, (rule:create_port and (rule:create_port:fixed_ips and (rule:create_port:fixed_ips:subnet_id and rule:create_port:fixed_ips:ip_address))) is disallowed by policy
I found some reference bug but not sure they are fixed or not: https://bugs.launchpad.net/neutron/+bug/1833455
Hi, My RBAC is set to “access_as_shared” on that network. On Mon, Oct 16, 2023 at 6:20 AM Rodolfo Alonso Hernandez < ralonsoh@redhat.com> wrote:
Hello Satish:
Please check the network RBACs of network "public-network-1". Action "access_as_external" is not the same as "access_as_shared". You should be able to create this port with the second one, not the first.
Regards.
On Sun, Oct 15, 2023 at 11:35 PM Satish Patel <satish.txt@gmail.com> wrote:
Folks,
I am trying to give permission to end users to create fixed IP ports and attach to VMs but so far no luck.
Release: Zed (OVN based deployment)
I have added following in policy.yml file in neutron server
"create_port:fixed_ips": "rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared" "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared" "create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared"
$ openstack port create --network public-network-1 --fixed-ip subnet=dba7a427-dccb-4a5a-a8e0-23fcda64666d,ip-address=xx.xx.xx.xx my-port1 ForbiddenException: 403: Client Error for url: http://192.168.18.100:9696/v2.0/ports, (rule:create_port and (rule:create_port:fixed_ips and (rule:create_port:fixed_ips:subnet_id and rule:create_port:fixed_ips:ip_address))) is disallowed by policy
I found some reference bug but not sure they are fixed or not: https://bugs.launchpad.net/neutron/+bug/1833455
Hi, Dnia poniedziałek, 16 października 2023 12:46:52 CEST Satish Patel pisze:
Hi,
My RBAC is set to “access_as_shared” on that network.
On Mon, Oct 16, 2023 at 6:20 AM Rodolfo Alonso Hernandez < ralonsoh@redhat.com> wrote:
Hello Satish:
Please check the network RBACs of network "public-network-1". Action "access_as_external" is not the same as "access_as_shared". You should be able to create this port with the second one, not the first.
Regards.
On Sun, Oct 15, 2023 at 11:35 PM Satish Patel <satish.txt@gmail.com> wrote:
Folks,
I am trying to give permission to end users to create fixed IP ports and attach to VMs but so far no luck.
Release: Zed (OVN based deployment)
I have added following in policy.yml file in neutron server
"create_port:fixed_ips": "rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared" "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared" "create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared"
$ openstack port create --network public-network-1 --fixed-ip subnet=dba7a427-dccb-4a5a-a8e0-23fcda64666d,ip-address=xx.xx.xx.xx my-port1 ForbiddenException: 403: Client Error for url: http://192.168.18.100:9696/v2.0/ports, (rule:create_port and (rule:create_port:fixed_ips and (rule:create_port:fixed_ips:subnet_id and rule:create_port:fixed_ips:ip_address))) is disallowed by policy
I found some reference bug but not sure they are fixed or not: https://bugs.launchpad.net/neutron/+bug/1833455
Yes, fix for that is https://review.opendev.org/c/openstack/neutron/+/666816 and it should works fine if You have this fix already in Your deployment. If not, please open new LP bug for it.
-- Slawek Kaplonski Principal Software Engineer Red Hat
I will check but don’t you think it should be there because the patch submitted in 2019, I am running the zed release. I have already submitted new bug here: https://bugs.launchpad.net/neutron/+bug/2039464 On Tue, Oct 17, 2023 at 4:57 AM Sławek Kapłoński <skaplons@redhat.com> wrote:
Hi,
Dnia poniedziałek, 16 października 2023 12:46:52 CEST Satish Patel pisze:
Hi,
My RBAC is set to “access_as_shared” on that network.
On Mon, Oct 16, 2023 at 6:20 AM Rodolfo Alonso Hernandez <
ralonsoh@redhat.com> wrote:
Hello Satish:
Please check the network RBACs of network "public-network-1". Action
"access_as_external" is not the same as "access_as_shared". You should be
able to create this port with the second one, not the first.
Regards.
On Sun, Oct 15, 2023 at 11:35 PM Satish Patel <satish.txt@gmail.com>
wrote:
Folks,
I am trying to give permission to end users to create fixed IP ports and
attach to VMs but so far no luck.
Release: Zed (OVN based deployment)
I have added following in policy.yml file in neutron server
"create_port:fixed_ips": "rule:context_is_advsvc or rule:network_owner or
rule:admin_only or rule:shared"
"create_port:fixed_ips:ip_address": "rule:context_is_advsvc or
rule:network_owner or rule:admin_only or rule:shared"
"create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or
rule:network_owner or rule:admin_only or rule:shared"
$ openstack port create --network public-network-1 --fixed-ip
subnet=dba7a427-dccb-4a5a-a8e0-23fcda64666d,ip-address=xx.xx.xx.xx my-port1
ForbiddenException: 403: Client Error for url:
http://192.168.18.100:9696/v2.0/ports, (rule:create_port and
(rule:create_port:fixed_ips and (rule:create_port:fixed_ips:subnet_id and
rule:create_port:fixed_ips:ip_address))) is disallowed by policy
I found some reference bug but not sure they are fixed or not:
Yes, fix for that is https://review.opendev.org/c/openstack/neutron/+/666816 and it should works fine if You have this fix already in Your deployment. If not, please open new LP bug for it.
--
Slawek Kaplonski
Principal Software Engineer
Red Hat
Sławek, I have verified and I do have those snippets that means my codes are patched. # cat /neutron-base-source/neutron-21.1.3.dev32/build/lib/neutron/policy.py project_id = target_dict.get('project_id') ctx = (context.Context(tenant_id=project_id) if project_id else context.get_admin_context()) plugin = directory.get_plugin() network = plugin.get_network(ctx, target_network_id) target_value = network.get(self.field) On Tue, Oct 17, 2023 at 8:18 AM Satish Patel <satish.txt@gmail.com> wrote:
I will check but don’t you think it should be there because the patch submitted in 2019, I am running the zed release.
I have already submitted new bug here: https://bugs.launchpad.net/neutron/+bug/2039464
On Tue, Oct 17, 2023 at 4:57 AM Sławek Kapłoński <skaplons@redhat.com> wrote:
Hi,
Dnia poniedziałek, 16 października 2023 12:46:52 CEST Satish Patel pisze:
Hi,
My RBAC is set to “access_as_shared” on that network.
On Mon, Oct 16, 2023 at 6:20 AM Rodolfo Alonso Hernandez <
ralonsoh@redhat.com> wrote:
Hello Satish:
Please check the network RBACs of network "public-network-1". Action
"access_as_external" is not the same as "access_as_shared". You should be
able to create this port with the second one, not the first.
Regards.
On Sun, Oct 15, 2023 at 11:35 PM Satish Patel <satish.txt@gmail.com>
wrote:
Folks,
I am trying to give permission to end users to create fixed IP ports and
attach to VMs but so far no luck.
Release: Zed (OVN based deployment)
I have added following in policy.yml file in neutron server
"create_port:fixed_ips": "rule:context_is_advsvc or rule:network_owner or
rule:admin_only or rule:shared"
"create_port:fixed_ips:ip_address": "rule:context_is_advsvc or
rule:network_owner or rule:admin_only or rule:shared"
"create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or
rule:network_owner or rule:admin_only or rule:shared"
$ openstack port create --network public-network-1 --fixed-ip
subnet=dba7a427-dccb-4a5a-a8e0-23fcda64666d,ip-address=xx.xx.xx.xx my-port1
ForbiddenException: 403: Client Error for url:
http://192.168.18.100:9696/v2.0/ports, (rule:create_port and
(rule:create_port:fixed_ips and (rule:create_port:fixed_ips:subnet_id and
rule:create_port:fixed_ips:ip_address))) is disallowed by policy
I found some reference bug but not sure they are fixed or not:
Yes, fix for that is https://review.opendev.org/c/openstack/neutron/+/666816 and it should works fine if You have this fix already in Your deployment. If not, please open new LP bug for it.
--
Slawek Kaplonski
Principal Software Engineer
Red Hat
Hi, Just to have all history and context in the mail thread also, a bug is in launchpad for this issue: https://bugs.launchpad.net/neutron/+bug/2039464 Lajos (lajoskatona) Satish Patel <satish.txt@gmail.com> ezt írta (időpont: 2023. okt. 17., K, 15:31):
Sławek,
I have verified and I do have those snippets that means my codes are patched.
# cat /neutron-base-source/neutron-21.1.3.dev32/build/lib/neutron/policy.py
project_id = target_dict.get('project_id') ctx = (context.Context(tenant_id=project_id) if project_id else context.get_admin_context()) plugin = directory.get_plugin() network = plugin.get_network(ctx, target_network_id) target_value = network.get(self.field)
On Tue, Oct 17, 2023 at 8:18 AM Satish Patel <satish.txt@gmail.com> wrote:
I will check but don’t you think it should be there because the patch submitted in 2019, I am running the zed release.
I have already submitted new bug here: https://bugs.launchpad.net/neutron/+bug/2039464
On Tue, Oct 17, 2023 at 4:57 AM Sławek Kapłoński <skaplons@redhat.com> wrote:
Hi,
Dnia poniedziałek, 16 października 2023 12:46:52 CEST Satish Patel pisze:
Hi,
My RBAC is set to “access_as_shared” on that network.
On Mon, Oct 16, 2023 at 6:20 AM Rodolfo Alonso Hernandez <
ralonsoh@redhat.com> wrote:
Hello Satish:
Please check the network RBACs of network "public-network-1". Action
"access_as_external" is not the same as "access_as_shared". You should be
able to create this port with the second one, not the first.
Regards.
On Sun, Oct 15, 2023 at 11:35 PM Satish Patel <satish.txt@gmail.com>
wrote:
Folks,
I am trying to give permission to end users to create fixed IP ports and
attach to VMs but so far no luck.
Release: Zed (OVN based deployment)
I have added following in policy.yml file in neutron server
"create_port:fixed_ips": "rule:context_is_advsvc or rule:network_owner or
rule:admin_only or rule:shared"
"create_port:fixed_ips:ip_address": "rule:context_is_advsvc or
rule:network_owner or rule:admin_only or rule:shared"
"create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or
rule:network_owner or rule:admin_only or rule:shared"
$ openstack port create --network public-network-1 --fixed-ip
subnet=dba7a427-dccb-4a5a-a8e0-23fcda64666d,ip-address=xx.xx.xx.xx my-port1
ForbiddenException: 403: Client Error for url:
http://192.168.18.100:9696/v2.0/ports, (rule:create_port and
(rule:create_port:fixed_ips and (rule:create_port:fixed_ips:subnet_id and
rule:create_port:fixed_ips:ip_address))) is disallowed by policy
I found some reference bug but not sure they are fixed or not:
Yes, fix for that is https://review.opendev.org/c/openstack/neutron/+/666816 and it should works fine if You have this fix already in Your deployment. If not, please open new LP bug for it.
--
Slawek Kaplonski
Principal Software Engineer
Red Hat
participants (4)
-
Lajos Katona
-
Rodolfo Alonso Hernandez
-
Satish Patel
-
Sławek Kapłoński