[openstack-dev] Neutron permission issue
Ajay Kalambur (akalambu)
akalambu at cisco.com
Fri Jul 11 18:14:07 UTC 2014
Never mind figured it out the rule is on enable_snat inside external gateway info that was the issue
But I think there is an issue with update because the message is misleading when I try to update with external gateway info and enable_snat. I get a message that Resource not found when in reality its a permission issue
I got this exception on update router
/v2_0/client.py", line 1212, in _handle_fault_response
exception_handler_v20(status_code, des_error_body)
File "/Users/akalambu/python_venv/venv/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 74, in exception_handler_v20
message=error_dict)
NeutronClientException: The resource could not be found.
When I had following
body = {
"router":
{
"name" : "pns-router",
"external_gateway_info":
{
"network_id": net_id,
"enable_snat" : False
}
}
}
It should have thrown a policy error and not this
From: akalambu <akalambu at cisco.com<mailto:akalambu at cisco.com>>
Date: Friday, July 11, 2014 at 11:09 AM
To: "Ian Wells (iawells)" <iawells at cisco.com<mailto:iawells at cisco.com>>, "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Subject: Re: Neutron permission issue
Hi
The issue seems to be the following default config in Neutron policy
"create_router:external_gateway_info:enable_snat": "rule:admin_only",
"update_router:external_gateway_info:enable_snat": "rule:admin_only",
Puzzling part is from horizon when I set an external gateway for a router is it not the same thing as above. How does it allow it from horizon than?
Ajay
From: "Ian Wells (iawells)" <iawells at cisco.com<mailto:iawells at cisco.com>>
Date: Friday, July 11, 2014 at 10:56 AM
To: akalambu <akalambu at cisco.com<mailto:akalambu at cisco.com>>, "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Cc: "openstack-systems-group(mailer list)" <openstack-systems-group at cisco.com<mailto:openstack-systems-group at cisco.com>>
Subject: Re: Neutron permission issue
Check /etc/neutron/policy.json, but I agree that's weird...
--
Ian.
From: "Ajay Kalambur (akalambu)" <akalambu at cisco.com<mailto:akalambu at cisco.com>>
Date: Friday, 11 July 2014 10:05
To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Cc: "openstack-systems-group(mailer list)" <openstack-systems-group at cisco.com<mailto:openstack-systems-group at cisco.com>>
Subject: Neutron permission issue
Hi
As a tenant when I try to create a router and associate a gateway with the router as a two step process in Horizon things work fine.
Now when I want to do the same thing through a create router API call with request below I get permission denied to create router
{
"router":
{
"name": "another_router",
"admin_state_up": true,
"external_gateway_info": {
"network_id": "3c5bcddd-6af9-4e6b-9c3e-c153e521cab8",
"enable_snat": false}
}
}
The network id in both cases is the same. This does not make sense to me
Traceback (most recent call last):
File "vm-tp.py", line 54, in setUp
ext_router = self.net.create_router(CONF.ROUTER_NAME, ext_net['id'])
File "/Users/akalambu/python_venv/latest_code/pns/network.py", line 121, in create_router
router = self.neutron_client.create_router(body)
File "/Users/akalambu/python_venv/venv/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 101, in with_params
ret = self.function(instance, *args, **kwargs)
File "/Users/akalambu/python_venv/venv/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 398, in create_router
return self.post(self.routers_path, body=body)
File "/Users/akalambu/python_venv/venv/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 1320, in post
headers=headers, params=params)
File "/Users/akalambu/python_venv/venv/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 1243, in do_request
self._handle_fault_response(status_code, replybody)
File "/Users/akalambu/python_venv/venv/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 1211, in _handle_fault_response
exception_handler_v20(status_code, des_error_body)
File "/Users/akalambu/python_venv/venv/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 68, in exception_handler_v20
status_code=status_code)
Forbidden: Policy doesn't allow create_router to be performed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140711/c0ac6073/attachment.html>
More information about the OpenStack-dev
mailing list