[Openstack] [nova-network] add-network-to-project

Ajiva Fan aji.zqfan at gmail.com
Fri Mar 29 04:45:06 UTC 2013 

Thanks vish

I think it is better not to modify the wsgi file which is depended by
others, it will not be safe for other extensions

My opinion is that only modify the networks extension, for example, add
project-id along with network-id in body, so the NetworkController.add()
use the project-id from body instead from context. (This solution is
mentioned in my mail on Mar 8.)

There is a danger that if a admin:user-project pass the authentication and
since he is a admin role, then he can associate any network to any project,
or i may have some misunderstand of the authentication. If only admin:admin
has a valid authorize on the networks extension, then this is safe.( ps, i
think the option you mentiond to check context.is_admin will have the same
problem if admin:user-project's context will set is_admin to True)


best wish.

ps:
Detail why add project-id in body is not safe is listed bellow:
Here is my knowledge from following the extension's authentication:

in the networks.py
there is a function pointer:
authorize = extensions.extension_authorizer('compute', 'networks')

and in the class NetworkController.add() function, it invokes

authorize(context)

in nova.api.openstack.extension.extension_authorize(), it says: (in essex
it is the same)

def extension_authorizer(api_name, extension_name):
    def authorize(context, target=None):
        if target is None:
            target = {'project_id': context.project_id,
                      'user_id': context.user_id}
        action = '%s_extension:%s' % (api_name, extension_name)
        nova.policy.enforce(context, action, target)
    return authorize

in the /etc/nova/policy.json, the networks extension's rule is:
"admin_api": [["is_admin:True"]],
"compute_extension:networks": [["rule:admin_api"]],

the nova.openstack.common.policy will _check_rule(), _check_role() and
_check_generic(), and for the _check_generic, it will check
context["is_admin"] == True.

nova.api.auth.NovaKeystoneContext will instance nova.context.RequestContext
with a self.is_admin = nova.policy.check_is_admin(self.roles), while the
check_is_admin only invoke nova.openstack.common.policy.enforce() to check
if it has a role named "admin", so if
keystone.middleware.auth_token.pyfill the header with a "admin" in
"X-Roles", this will be authorized. Which
i think admin:user-porject will be valid.



On Thu, Mar 28, 2013 at 11:12 PM, Vishvananda Ishaya
<vishvananda at gmail.com>wrote:

> I just looked at the code and it appears this is not possible through the
> os_networks extension. This appears to be an oversight. It should probably
> allow a project to be passed in.
>
> Bug report here: https://bugs.launchpad.net/nova/+bug/1161441
>
> That said, the first time a user boots an instance, he automatically gets
> assigned a network, so in many cases it isn't needed.
>
> Another option would be to modify the code you mentioned to allow a
> workaround:
>
> if (context and not context.is_admin and project_id and (project_id !=
> context.project_id)):
>
> Vish
>
> On Mar 28, 2013, at 1:46 AM, Ajiva Fan <aji.zqfan at gmail.com> wrote:
>
> hello everyone:
>
> i have a very simple question which confuses me for a long time:
> how should i add a network to a project via rest api?
>
> 1) i'm admin of the whole cloud env essex, (i think the folsom is same in
> this case)
> 2) using nova-network:vlan (if using flatdhcp, the associate action is
> meanless)
> 3) a user project "user-project" is created, and the admin:admin is not
> that project's admin (and even not a member of it)
> 4) a network "user-network" is created, but not associated with
> "user-project"
> 5) how to associate the "user-network" with "user-project" ?
>
> i know i can use "nova-manage" via nova-client in the control node,
> but what i need to know is how to do this operation via rest api, like
> curl or in horizon?
>
> the rest api is: http://api.openstack.org/api-ref.html
> POST
> v2/{tenant_id}/os-networks/add
> with a body identifier the network's id
>
> the problem is that, even i have admin:admin token, i *cannot* associate
> the "user-network" with "user-project",
> because from the source code of folsom(and essex) nova, in the
> nova.api.openstack.wsgi.py of line 931, i find this:
>
>         project_id = action_args.pop("project_id", None)
>         context = request.environ.get('nova.context')
>         if (context and project_id and (project_id != context.project_id
> )):
>             msg = _("Malformed request url")
>             return Fault(webob.exc.HTTPBadRequest(explanation=msg))
>
> since nova.context.project_id is the project admin_id, and the project_id
> is extract from the url,
> so the webob.exc is returned.
>
> please help me, i read a lot, (both document and source code, i just
> cannot understand or just miss something important)
> but still don't know how to do it.
>
> ps: i have sent a mail to openstack-dev on mar 8, but no one reply me. is
> my question nonsense?
> Note this mail is not the exactly same as previous one since i've more
> knowledge of it but the main problem is same
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130329/566470f6/attachment.html>

More information about the Openstack mailing list