Open Stack

Never mind figured it out the rule is on enable_snat inside external gateway info that was the issue
But I think there is an issue with update because the message is misleading when I try to update with external gateway info and enable_snat. I get a message that Resource not found when in reality its a permission issue

I got this exception on update router

/v2_0/client.py", line 1212, in _handle_fault_response

    exception_handler_v20(status_code, des_error_body)

  File "/Users/akalambu/python_venv/venv/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 74, in exception_handler_v20

    message=error_dict)

NeutronClientException: The resource could not be found.


When I had following

 body = {

"router":

{

    "name" : "pns-router",

    "external_gateway_info":

    {

        "network_id": net_id,

 "enable_snat" : False

             }

}

   }


It should have thrown a policy error and not this


From: akalambu <akalambu at cisco.com<mailto:akalambu at cisco.com>>
Date: Friday, July 11, 2014 at 11:09 AM
To: "Ian Wells (iawells)" <iawells at cisco.com<mailto:iawells at cisco.com>>, "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Subject: Re: Neutron permission issue

Hi
The issue seems to be the following default config in Neutron policy

   "create_router:external_gateway_info:enable_snat": "rule:admin_only",

    "update_router:external_gateway_info:enable_snat": "rule:admin_only",


Puzzling part is from horizon when I set an external gateway for a router is it not the same thing as above. How does it allow it from horizon than?


Ajay


From: "Ian Wells (iawells)" <iawells at cisco.com<mailto:iawells at cisco.com>>
Date: Friday, July 11, 2014 at 10:56 AM
To: akalambu <akalambu at cisco.com<mailto:akalambu at cisco.com>>, "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Cc: "openstack-systems-group(mailer list)" <openstack-systems-group at cisco.com<mailto:openstack-systems-group at cisco.com>>
Subject: Re: Neutron permission issue

Check /etc/neutron/policy.json, but I agree that's weird...
--
Ian.


From: "Ajay Kalambur (akalambu)" <akalambu at cisco.com<mailto:akalambu at cisco.com>>
Date: Friday, 11 July 2014 10:05
To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Cc: "openstack-systems-group(mailer list)" <openstack-systems-group at cisco.com<mailto:openstack-systems-group at cisco.com>>
Subject: Neutron permission issue

Hi
As a tenant when I try to create a router and associate a gateway with the router as a two step process in Horizon things work fine.
Now when I want to do the same thing through a create router API call with request below I get permission denied to create router

{
"router":
{
"name": "another_router",
"admin_state_up": true,
"external_gateway_info": {
"network_id": "3c5bcddd-6af9-4e6b-9c3e-c153e521cab8",
"enable_snat": false}
}
}
The network id in both cases is the same. This does not make sense to me


Traceback (most recent call last):

  File "vm-tp.py", line 54, in setUp

    ext_router = self.net.create_router(CONF.ROUTER_NAME, ext_net['id'])

  File "/Users/akalambu/python_venv/latest_code/pns/network.py", line 121, in create_router

    router = self.neutron_client.create_router(body)

  File "/Users/akalambu/python_venv/venv/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 101, in with_params

    ret = self.function(instance, *args, **kwargs)

  File "/Users/akalambu/python_venv/venv/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 398, in create_router

    return self.post(self.routers_path, body=body)

  File "/Users/akalambu/python_venv/venv/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 1320, in post

    headers=headers, params=params)

  File "/Users/akalambu/python_venv/venv/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 1243, in do_request

    self._handle_fault_response(status_code, replybody)

  File "/Users/akalambu/python_venv/venv/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 1211, in _handle_fault_response

    exception_handler_v20(status_code, des_error_body)

  File "/Users/akalambu/python_venv/venv/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 68, in exception_handler_v20

    status_code=status_code)

Forbidden: Policy doesn't allow create_router to be performed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140711/c0ac6073/attachment.html>