[openstack-dev] [neutron] - port-create with network from a different tenant does not fail
Kevin Benton
blak111 at gmail.com
Tue Feb 10 23:06:43 UTC 2015
Unfortunately shared networks right now have no fine-grained control so
every single tenant can attach to a network once it is marked as shared. So
if you have one tenant who wants to have another tenant attach a few
servers to his/her network, the only choice is to have the admin do it via
the operation you described above.
On Tue, Feb 10, 2015 at 2:53 PM, Varun Lodaya <Varun_Lodaya at symantec.com>
wrote:
> Hey Kevin,
>
> Thanks for the quick response. But any particular use-case where we would
> need port/network from different tenants unless it’s a shared network?
>
> Thanks,
> Varun
>
> From: Kevin Benton <blak111 at gmail.com>
> Reply-To: "OpenStack Development Mailing List (not for usage questions)" <
> openstack-dev at lists.openstack.org>
> Date: Tuesday, February 10, 2015 at 2:33 PM
> To: "OpenStack Development Mailing List (not for usage questions)" <
> openstack-dev at lists.openstack.org>
> Subject: Re: [openstack-dev] [neutron] - port-create with network from a
> different tenant does not fail
>
> You can have ports from different tenants in a network. It's an admin-only
> capability unless the network is marked as "shared".
>
> On Tue, Feb 10, 2015 at 2:30 PM, Varun Lodaya <Varun_Lodaya at symantec.com>
> wrote:
>
>> Adding the right subject line.
>>
>> From: Varun Lodaya <Varun_Lodaya at symantec.com>
>> Date: Tuesday, February 10, 2015 at 2:26 PM
>> To: "OpenStack Development Mailing List (not for usage questions)" <
>> openstack-dev at lists.openstack.org>
>> Subject: port-create with network from a different tenant does not fail
>>
>> Hi,
>>
>> We were seeing this issue where if the user role is admin in 2 tenants A
>> and B and he issues neutron port-create <network-id> in tenant A where
>> <network-id> is in tenant B, it ends up creating that port. Ideally, it
>> should have failed since you cannot have the port/network in different
>> tenants.
>>
>> varunlodaya at ubuntu:~/devstack$ neutron port-show
>> fc6917ea-0c0c-4ec5-9202-4441701c9984
>>
>> +-----------------------+----------------------------------------------------------------------------------+
>> | Field | Value
>> |
>>
>> +-----------------------+----------------------------------------------------------------------------------+
>> | admin_state_up | True
>> |
>> | allowed_address_pairs |
>> |
>> | binding:host_id |
>> |
>> | binding:profile | {}
>> |
>> | binding:vif_details | {}
>> |
>> | binding:vif_type | unbound
>> |
>> | binding:vnic_type | normal
>> |
>> | device_id |
>> |
>> | device_owner |
>> |
>> | extra_dhcp_opts |
>> |
>> | fixed_ips | {"subnet_id":
>> "8c9f5682-daf8-40e1-9b6a-57cfed7f024c", "ip_address": "10.1.1.13"} |
>> | id | fc6917ea-0c0c-4ec5-9202-4441701c9984
>> |
>> | mac_address | fa:16:3e:18:6e:95
>> |
>> | name |
>> |
>> | network_id | 0036a345-35ea-42c8-a66c-f9831d0a03a5
>> |
>> | security_groups | 45786089-d53f-4eec-8be6-cb49766e55c1
>> |
>> | status | DOWN
>> |
>> | tenant_id | d0d1e6e21268418b8888b0adcea413a3
>> |
>>
>> +-----------------------+----------------------------------------------------------------------------------+
>> varunlodaya at ubuntu:~/devstack$ neutron net-show
>> 0036a345-35ea-42c8-a66c-f9831d0a03a5
>> +---------------------------+--------------------------------------+
>> | Field | Value |
>> +---------------------------+--------------------------------------+
>> | admin_state_up | True |
>> | id | 0036a345-35ea-42c8-a66c-f9831d0a03a5 |
>> | name | alt_private |
>> | provider:network_type | vxlan |
>> | provider:physical_network | |
>> | provider:segmentation_id | 1003 |
>> | router:external | False |
>> | shared | False |
>> | status | ACTIVE |
>> | subnets | 8c9f5682-daf8-40e1-9b6a-57cfed7f024c |
>> | tenant_id | 099bfd6e59434b51a479ab7142ff01df |
>> +---------------------------+--------------------------------------+
>> varunlodaya at ubuntu:~/devstack$
>>
>>
>> Is this an expected behavior or a known bug? Should I create a new one?
>>
>> Thanks,
>> Varun
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
>
> --
> Kevin Benton
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
--
Kevin Benton
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150210/be44aa7c/attachment.html>
More information about the OpenStack-dev
mailing list