Open Stack

Hello all,

I'm seeking input from the neutron and nova teams regarding policy 
enforcement for allowing attachment to external networks. Details below.

Recently we've been looking at an issue that was reported quite a long 
time ago (2017) [1] where we have a policy check in nova-compute that 
controls whether to allow users to attach an external network to their 
instances.

This has historically been a pain point for operators as (1) it goes 
against convention of having policy checks in nova-api only and (2) 
setting the policy to anything other than the default requires deploying 
a policy file change to all of the compute hosts in the deployment.

The launchpad bug report mentions neutron refactoring work that was 
happening at the time, which was thought might make the 
'network:attach_external_network' policy check on the nova side redundant.

Years have passed since then and customers are still running into this 
problem, so we are thinking, can this policy check be removed on the 
nova-compute side now?

I did a local test with devstack to verify what the behavior is if we 
were to remove the 'network:attach_external_network' policy check 
entirely [2] and found that neutron appears to properly enforce 
permission to attach to external networks itself. It appears that the 
enforcement on the neutron side makes the nova policy check redundant.

When I tried to boot an instance to attach to an external network, 
neutron API returned the following:

INFO neutron.pecan_wsgi.hooks.translation 
[req-58fdb103-cd20-48c9-b73b-c9074061998c 
req-4d68df7e-e0fd-4b1e-9b57-733731123d46 demo demo] POST failed (client 
error): Tenant 7c60976c662a414cb2661831ff41ee30 not allowed to create 
port on this network
[...]
INFO neutron.wsgi [req-58fdb103-cd20-48c9-b73b-c9074061998c 
req-4d68df7e-e0fd-4b1e-9b57-733731123d46 demo demo] 127.0.0.1 "POST 
/v2.0/ports HTTP/1.1" status: 403  len: 360 time: 0.1582518

Can anyone from the neutron team confirm whether it would be OK for us 
to remove our nova-compute policy check for external network attach 
permission and let neutron take care of the check?

And on the nova side, I assume we would need a deprecation cycle before 
removing the 'network:attach_external_network' policy. If we can get 
confirmation from the neutron team, is anyone opposed to the idea of 
deprecating the 'network:attach_external_network' policy in the Wallaby 
cycle, to be removed in the Xena release?

I would appreciate your thoughts.

Cheers,
-melanie

[1] https://bugs.launchpad.net/nova/+bug/1675486
[2] https://bugs.launchpad.net/nova/+bug/1675486/comments/4