[openstack-dev] [neutron] - port-create with network from a different tenant does not fail
Varun Lodaya
Varun_Lodaya at symantec.com
Tue Feb 10 23:12:54 UTC 2015
Ohk, a hacky way to share network across specific tenants. Cool, thanks Kevin.
- Varun
From: Kevin Benton <blak111 at gmail.com<mailto:blak111 at gmail.com>>
Reply-To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Date: Tuesday, February 10, 2015 at 3:06 PM
To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Subject: Re: [openstack-dev] [neutron] - port-create with network from a different tenant does not fail
Unfortunately shared networks right now have no fine-grained control so every single tenant can attach to a network once it is marked as shared. So if you have one tenant who wants to have another tenant attach a few servers to his/her network, the only choice is to have the admin do it via the operation you described above.
On Tue, Feb 10, 2015 at 2:53 PM, Varun Lodaya <Varun_Lodaya at symantec.com<mailto:Varun_Lodaya at symantec.com>> wrote:
Hey Kevin,
Thanks for the quick response. But any particular use-case where we would need port/network from different tenants unless it’s a shared network?
Thanks,
Varun
From: Kevin Benton <blak111 at gmail.com<mailto:blak111 at gmail.com>>
Reply-To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Date: Tuesday, February 10, 2015 at 2:33 PM
To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Subject: Re: [openstack-dev] [neutron] - port-create with network from a different tenant does not fail
You can have ports from different tenants in a network. It's an admin-only capability unless the network is marked as "shared".
On Tue, Feb 10, 2015 at 2:30 PM, Varun Lodaya <Varun_Lodaya at symantec.com<mailto:Varun_Lodaya at symantec.com>> wrote:
Adding the right subject line.
From: Varun Lodaya <Varun_Lodaya at symantec.com<mailto:Varun_Lodaya at symantec.com>>
Date: Tuesday, February 10, 2015 at 2:26 PM
To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Subject: port-create with network from a different tenant does not fail
Hi,
We were seeing this issue where if the user role is admin in 2 tenants A and B and he issues neutron port-create <network-id> in tenant A where <network-id> is in tenant B, it ends up creating that port. Ideally, it should have failed since you cannot have the port/network in different tenants.
varunlodaya at ubuntu:~/devstack$ neutron port-show fc6917ea-0c0c-4ec5-9202-4441701c9984
+-----------------------+----------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+----------------------------------------------------------------------------------+
| admin_state_up | True |
| allowed_address_pairs | |
| binding:host_id | |
| binding:profile | {} |
| binding:vif_details | {} |
| binding:vif_type | unbound |
| binding:vnic_type | normal |
| device_id | |
| device_owner | |
| extra_dhcp_opts | |
| fixed_ips | {"subnet_id": "8c9f5682-daf8-40e1-9b6a-57cfed7f024c", "ip_address": "10.1.1.13"} |
| id | fc6917ea-0c0c-4ec5-9202-4441701c9984 |
| mac_address | fa:16:3e:18:6e:95 |
| name | |
| network_id | 0036a345-35ea-42c8-a66c-f9831d0a03a5 |
| security_groups | 45786089-d53f-4eec-8be6-cb49766e55c1 |
| status | DOWN |
| tenant_id | d0d1e6e21268418b8888b0adcea413a3 |
+-----------------------+----------------------------------------------------------------------------------+
varunlodaya at ubuntu:~/devstack$ neutron net-show 0036a345-35ea-42c8-a66c-f9831d0a03a5
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | True |
| id | 0036a345-35ea-42c8-a66c-f9831d0a03a5 |
| name | alt_private |
| provider:network_type | vxlan |
| provider:physical_network | |
| provider:segmentation_id | 1003 |
| router:external | False |
| shared | False |
| status | ACTIVE |
| subnets | 8c9f5682-daf8-40e1-9b6a-57cfed7f024c |
| tenant_id | 099bfd6e59434b51a479ab7142ff01df |
+---------------------------+--------------------------------------+
varunlodaya at ubuntu:~/devstack$
Is this an expected behavior or a known bug? Should I create a new one?
Thanks,
Varun
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe<http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
--
Kevin Benton
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe<http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
--
Kevin Benton
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150210/8bfa3068/attachment.html>
More information about the OpenStack-dev
mailing list