[neutron] Disable subnet-external-network extension
Greetings, Since Neutron 2024.2 (25.0.0), the subnet-external-network extension is loaded by default. This causes subnetworks that are part of external networks to be visible to non-admin users. We found this behavior a bit confusing for regular users, as those subnetworks are often not usable for spawning VMs or creating load balancers. Depending on the number of external subnetworks, dashboards like Networks and Load Balancer Create in Octavia can become cluttered with entries that are effectively unusable for non-admins, as they are intended only for routers and floating IPs. I’ve reviewed the patches mentioned in [1], and as far as I can tell, the new extension is enabled by default with no apparent way to disable it or revert to the previous behavior. Am I missing something? Is there a way to prevent external subnetworks from being shown to non-admin users? [1] https://bugs.launchpad.net/neutron/+bug/2051831 Thanks in advance, Best regards, Max
Hello Maximilian: By definition, an external network is a shared network with the addition of being external (can be used as router gateway). The subnets inherit the RBAC properties and thus all subnets belonging to a shared (or external) network are visible to the user who has access to this network. The previous behaviour, where the subnets of an external network were hidden to the non-owner user, was incorrect. In any case, you can implement your own local policies for "get_network"/"get_networks", limiting them to the network owner or the admin user. Regards. On Thu, Jul 10, 2025 at 1:40 PM Maximilian Stinsky-Damke <Maximilian.Stinsky-Damke@wiit.cloud> wrote:
Greetings,
Since Neutron 2024.2 (25.0.0), the subnet-external-network extension is loaded by default. This causes subnetworks that are part of external networks to be visible to non-admin users.
We found this behavior a bit confusing for regular users, as those subnetworks are often not usable for spawning VMs or creating load balancers. Depending on the number of external subnetworks, dashboards like Networks and Load Balancer Create in Octavia can become cluttered with entries that are effectively unusable for non-admins, as they are intended only for routers and floating IPs.
I’ve reviewed the patches mentioned in [1], and as far as I can tell, the new extension is enabled by default with no apparent way to disable it or revert to the previous behavior.
Am I missing something? Is there a way to prevent external subnetworks from being shown to non-admin users?
[1] https://bugs.launchpad.net/neutron/+bug/2051831
Thanks in advance, Best regards, Max
Hi Rodolfo, Thanks for the answer. I still think that from a ux perspective its better to not show those subnetworks. As an example since the change in the octavia dashboard creating a lb shows all external subnetworks even though most of the time lbs cant spawn in those networks. Your comment about policies helped me find how to easily get the old behaviour back by overriding the get_subnet policy and remove rule:external_network from it. Best Regards Max ________________________________ From: Rodolfo Alonso Hernandez <ralonsoh@redhat.com> Sent: 10 July 2025 21:56 To: Maximilian Stinsky-Damke <Maximilian.Stinsky-Damke@wiit.cloud> Cc: openstack-discuss <openstack-discuss@lists.openstack.org> Subject: Re: [neutron] Disable subnet-external-network extension This email is from an unusual correspondent. Make sure this is someone you trust. Hello Maximilian: By definition, an external network is a shared network with the addition of being external (can be used as router gateway). The subnets inherit the RBAC properties and thus all subnets belonging to a shared (or external) network are visible to the user who has access to this network. The previous behaviour, where the subnets of an external network were hidden to the non-owner user, was incorrect. In any case, you can implement your own local policies for "get_network"/"get_networks", limiting them to the network owner or the admin user. Regards. On Thu, Jul 10, 2025 at 1:40 PM Maximilian Stinsky-Damke <Maximilian.Stinsky-Damke@wiit.cloud> wrote: Greetings, Since Neutron 2024.2 (25.0.0), the subnet-external-network extension is loaded by default. This causes subnetworks that are part of external networks to be visible to non-admin users. We found this behavior a bit confusing for regular users, as those subnetworks are often not usable for spawning VMs or creating load balancers. Depending on the number of external subnetworks, dashboards like Networks and Load Balancer Create in Octavia can become cluttered with entries that are effectively unusable for non-admins, as they are intended only for routers and floating IPs. I’ve reviewed the patches mentioned in [1], and as far as I can tell, the new extension is enabled by default with no apparent way to disable it or revert to the previous behavior. Am I missing something? Is there a way to prevent external subnetworks from being shown to non-admin users? [1] https://bugs.launchpad.net/neutron/+bug/2051831<https://urlsand.esvalabs.com/?u=https%3A%2F%2Fbugs.launchpad.net%2Fneutron%2F%2Bbug%2F2051831&e=50525cf7&h=cb020609&f=y&p=y> Thanks in advance, Best regards, Max -- This message has been checked by Libraesva ESG and is found to be clean. Report as bad/spam<https://mx10.wiit.cloud/action/4bdQb020lRzTghn/report-as-bad> Blocklist sender<https://mx10.wiit.cloud/action/4bdQb020lRzTghn/blocklist>
participants (2)
-
Maximilian Stinsky-Damke
-
Rodolfo Alonso Hernandez