[Openstack] CLI vs Horizon dashboard has different view of networks created by devstack
Akihiro Motoki
amotoki at gmail.com
Mon Oct 6 05:09:59 UTC 2014
It is the expected behavior as its original design.
In Neutron API, if a user has admin role, the user can see all
resources from all tenants.
CLI just sends a request to Neutron API, so the result of net-list
with admin role lists both networks.
In addition, a network with router:external=True (in this case
"public" network) is visible to
non-admin users so that regular users can know floating IP pools.
(a network with router:external=True is a floating IP pool.)
In Horizon, the network list in Project panel only lists networks from
the current project.
It is the intended behaviors. The admin network panel is used to lists
all networks from all projects.
Regarding "public" network, it is not listed in the project network
panel because "public" network
is a floating IP pool and there is no need to be listed in the network
panel. It is used in Floating IP
Allocation form.
Regarding VM launching, it is the intended behavior too.
In CLI case, Neutron API allows admin users to create a port on any networks
even if a network belongs to other projects. This is the reason
"admin" user with "admin" tenant
can launch an instance connected to "private" network of "demo" project.
In Horizon, Horizon honors the typical use case to avoid complicated use cases.
Horizon developers think it is a special use where admin user launch
an instance connected to other projects.
This is the reason an admin user cannot launch an instance connected
to "private" network from "demo" project.
If there is such special needs, it can be done through CLI.
I hope it helps you understand the behavior.
Thanks,
Akihiro
On Mon, Oct 6, 2014 at 8:29 AM, Danny Choi (dannchoi)
<dannchoi at cisco.com> wrote:
> Hi,
>
> I used devstack to deploy Juno OpenStack.
>
> By default, devstack created 2 users: admin (with role “admin”) and demo.
>
> localadmin at qa4:~/devstack$ source openrc admin admin
>
> localadmin at qa4:~/devstack$ keystone user-list
>
> +----------------------------------+----------+---------+----------------------+
>
> | id | name | enabled | email
> |
>
> +----------------------------------+----------+---------+----------------------+
>
> | 8ad8cd428ac94cd1a888d4372a61cabc | admin | True |
> | <<<
>
> | e057de661e644f709899b169dd716037 | alt_demo | True |
> alt_demo at example.com |
>
> | d55afe55b4de4815bc3e832b2684abd8 | cinder | True |
> |
>
> | 57a3f7eefcff4a37b064938ebf7335da | demo | True | demo at example.com
> | <<<
>
> | e40971caaf8040d2bc91ec62ad846377 | glance | True |
> |
>
> | b6920c6626144595807f40ac36a453e4 | heat | True |
> |
>
> | 71af3e61cb63442ea6a91fcd221487dd | neutron | True |
> |
>
> | 259fb79c8bfa4c0f9d5df37c45868ce8 | nova | True |
> |
>
> +----------------------------------+----------+---------+----------------------+
>
> localadmin at qa4:~/devstack$ keystone tenant-list
>
> +----------------------------------+--------------------+---------+
>
> | id | name | enabled |
>
> +----------------------------------+--------------------+---------+
>
> | 55ec74628b004fedbef9b8cad130a442 | admin | True | <<<
>
> | 2e6b7da08b9643cc95518c8efc7f71c3 | alt_demo | True |
>
> | 51dcdd7f6f6545bd8bb49aeb556dab48 | demo | True | <<<
>
> | e9f10b3e51fd4ff68150ec82eeeac3e4 | invisible_to_admin | True |
>
> | 4264b64d7697419886ebf2ef141069a5 | service | True |
>
> +----------------------------------+--------------------+---------+
>
> localadmin at qa4:~/devstack$ keystone user-get admin
>
> +----------+----------------------------------+
>
> | Property | Value |
>
> +----------+----------------------------------+
>
> | email | |
>
> | enabled | True |
>
> | id | 8ad8cd428ac94cd1a888d4372a61cabc |
>
> | name | admin |
>
> | tenantId | 55ec74628b004fedbef9b8cad130a442 | <<< tenant=admin
>
> | username | admin |
>
> +----------+----------------------------------+
>
> localadmin at qa4:~/devstack$ keystone user-get demo
>
> +----------+----------------------------------+
>
> | Property | Value |
>
> +----------+----------------------------------+
>
> | email | demo at example.com |
>
> | enabled | True |
>
> | id | 57a3f7eefcff4a37b064938ebf7335da |
>
> | name | demo |
>
> | tenantId | 51dcdd7f6f6545bd8bb49aeb556dab48 | <<< tenant=demo
>
> | username | demo |
>
> +----------+----------------------------------+
>
> localadmin at qa4:~/devstack$ keystone user-role-list --user admin --tenant
> admin
>
> +----------------------------------+------------------+----------------------------------+----------------------------------+
>
> | id | name | user_id
> | tenant_id |
>
> +----------------------------------+------------------+----------------------------------+----------------------------------+
>
> | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |
> 8ad8cd428ac94cd1a888d4372a61cabc | 55ec74628b004fedbef9b8cad130a442 |
>
> | 1f4f0d145e71452d9e633c63baae3696 | admin |
> 8ad8cd428ac94cd1a888d4372a61cabc | 55ec74628b004fedbef9b8cad130a442 |
>
> | 98b3a4cad94949319d99acde115f682b | heat_stack_owner |
> 8ad8cd428ac94cd1a888d4372a61cabc | 55ec74628b004fedbef9b8cad130a442 |
>
> +----------------------------------+------------------+----------------------------------+----------------------------------+
>
> localadmin at qa4:~/devstack$ keystone user-role-list --user demo --tenant demo
>
> +----------------------------------+------------------+----------------------------------+----------------------------------+
>
> | id | name | user_id
> | tenant_id |
>
> +----------------------------------+------------------+----------------------------------+----------------------------------+
>
> | b3831a6a7eac4b8996ba428345cb9067 | Member |
> 57a3f7eefcff4a37b064938ebf7335da | 51dcdd7f6f6545bd8bb49aeb556dab48 |
>
> | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |
> 57a3f7eefcff4a37b064938ebf7335da | 51dcdd7f6f6545bd8bb49aeb556dab48 |
>
> | 750c89eea84f4e53852033331c835617 | anotherrole |
> 57a3f7eefcff4a37b064938ebf7335da | 51dcdd7f6f6545bd8bb49aeb556dab48 |
>
> | 98b3a4cad94949319d99acde115f682b | heat_stack_owner |
> 57a3f7eefcff4a37b064938ebf7335da | 51dcdd7f6f6545bd8bb49aeb556dab48 |
>
> +----------------------------------+------------------+----------------------------------+----------------------------------+
>
>
> There are 2 networks created, public (tenant = admin) and private (tenant =
> demo); and both networks are not shared.
>
> localadmin at qa4:~/devstack$ neutron net-list
>
> +--------------------------------------+---------+----------------------------------------------------+
>
> | id | name | subnets
> |
>
> +--------------------------------------+---------+----------------------------------------------------+
>
> | 2d113f8c-d742-4f2f-8cf2-a8e56749d51d | public |
> ab40f80e-aaf6-43ab-a1da-92f8ac7f7246 172.24.4.0/24 |
>
> | 94d1e13c-cebc-419d-af06-49e6b4f01304 | private |
> 1265bbd4-e775-4d9b-a7d5-498848c09b37 10.0.0.0/24 |
>
> +--------------------------------------+---------+----------------------------------------------------+
>
> localadmin at qa4:~/devstack$ neutron net-show public
>
> +---------------------------+--------------------------------------+
>
> | Field | Value |
>
> +---------------------------+--------------------------------------+
>
> | admin_state_up | True |
>
> | id | 2d113f8c-d742-4f2f-8cf2-a8e56749d51d |
>
> | name | public |
>
> | provider:network_type | vlan |
>
> | provider:physical_network | p1p1 |
>
> | provider:segmentation_id | 301 |
>
> | router:external | True |
>
> | shared | False |
>
> | status | ACTIVE |
>
> | subnets | ab40f80e-aaf6-43ab-a1da-92f8ac7f7246 |
>
> | tenant_id | 55ec74628b004fedbef9b8cad130a442 | <<<
> tenant=admin
>
> +---------------------------+--------------------------------------+
>
> localadmin at qa4:~/devstack$ neutron net-show private
>
> +---------------------------+--------------------------------------+
>
> | Field | Value |
>
> +---------------------------+--------------------------------------+
>
> | admin_state_up | True |
>
> | id | 94d1e13c-cebc-419d-af06-49e6b4f01304 |
>
> | name | private |
>
> | provider:network_type | vlan |
>
> | provider:physical_network | p1p1 |
>
> | provider:segmentation_id | 300 |
>
> | router:external | False |
>
> | shared | False |
>
> | status | ACTIVE |
>
> | subnets | 1265bbd4-e775-4d9b-a7d5-498848c09b37 |
>
> | tenant_id | 51dcdd7f6f6545bd8bb49aeb556dab48 | <<<
> tenant=demo
>
> +---------------------------+--------------------------------------+
>
>
> In CLI, both networks are visible for both users admin and demo.
>
> localadmin at qa4:~/devstack$ source openrc admin admin
>
> localadmin at qa4:~/devstack$ neutron net-list
>
> +--------------------------------------+---------+----------------------------------------------------+
>
> | id | name | subnets
> |
>
> +--------------------------------------+---------+----------------------------------------------------+
>
> | 2d113f8c-d742-4f2f-8cf2-a8e56749d51d | public |
> ab40f80e-aaf6-43ab-a1da-92f8ac7f7246 172.24.4.0/24 |
>
> | 94d1e13c-cebc-419d-af06-49e6b4f01304 | private |
> 1265bbd4-e775-4d9b-a7d5-498848c09b37 10.0.0.0/24 |
>
> +--------------------------------------+---------+----------------------------------------------------+
>
> localadmin at qa4:~/devstack$
>
> localadmin at qa4:~/devstack$
>
> localadmin at qa4:~/devstack$ source openrc demo demo
>
> localadmin at qa4:~/devstack$ neutron net-list
>
> +--------------------------------------+---------+--------------------------------------------------+
>
> | id | name | subnets
> |
>
> +--------------------------------------+---------+--------------------------------------------------+
>
> | 2d113f8c-d742-4f2f-8cf2-a8e56749d51d | public |
> ab40f80e-aaf6-43ab-a1da-92f8ac7f7246 |
>
> | 94d1e13c-cebc-419d-af06-49e6b4f01304 | private |
> 1265bbd4-e775-4d9b-a7d5-498848c09b37 10.0.0.0/24 |
>
> +--------------------------------------+---------+--------------------------------------------------+
>
>
>
> In Horizon dashboard, I logged in as user admin.
>
>
> From the Projects pulldown, select admin.
>
> At the left pane, Project->Network->Networks, only the “public" network is
> shown.
>
>
> From the Projects pulldown, select demo.
>
> At the left pane, Project->Network->Networks, only the “private" network is
> shown.
>
>
> As a result, when I launch an instance with Horizon dashboard, I can only
> attach the public network (when project = admin)
>
> or the private network (when project = demo).
>
>
> However, in CLI, as user admin, I can launch an instance with public or
> private network.
>
>
> localadmin at qa4:~/devstack$ source openrc admin admin
>
> localadmin at qa4:~/devstack$ neutron net-list
>
> +--------------------------------------+---------+----------------------------------------------------+
>
> | id | name | subnets
> |
>
> +--------------------------------------+---------+----------------------------------------------------+
>
> | 2d113f8c-d742-4f2f-8cf2-a8e56749d51d | public |
> ab40f80e-aaf6-43ab-a1da-92f8ac7f7246 172.24.4.0/24 |
>
> | 94d1e13c-cebc-419d-af06-49e6b4f01304 | private |
> 1265bbd4-e775-4d9b-a7d5-498848c09b37 10.0.0.0/24 |
>
> +--------------------------------------+---------+----------------------------------------------------+
>
> localadmin at qa4:~/devstack$ nova boot --image cirros-0.3.2-x86_64-uec
> --flavor 1 --nic net-id=2d113f8c-d742-4f2f-8cf2-a8e56749d51d vm1
>
> +--------------------------------------+----------------------------------------------------------------+
>
> | Property | Value
> |
>
> +--------------------------------------+----------------------------------------------------------------+
>
> | OS-DCF:diskConfig | MANUAL
> |
>
> | OS-EXT-AZ:availability_zone | nova
> |
>
> | OS-EXT-SRV-ATTR:host | -
> |
>
> | OS-EXT-SRV-ATTR:hypervisor_hostname | -
> |
>
> | OS-EXT-SRV-ATTR:instance_name | instance-0000000a
> |
>
> | OS-EXT-STS:power_state | 0
> |
>
> | OS-EXT-STS:task_state | scheduling
> |
>
> | OS-EXT-STS:vm_state | building
> |
>
> | OS-SRV-USG:launched_at | -
> |
>
> | OS-SRV-USG:terminated_at | -
> |
>
> | accessIPv4 |
> |
>
> | accessIPv6 |
> |
>
> | adminPass | 3ZGJRjr6s3bk
> |
>
> | config_drive |
> |
>
> | created | 2014-10-05T23:03:36Z
> |
>
> | flavor | m1.tiny (1)
> |
>
> | hostId |
> |
>
> | id |
> c308e2a1-1763-4d05-84ed-8fcf5f02abab |
>
> | image | cirros-0.3.2-x86_64-uec
> (ea46d1d4-6c10-4f91-96e3-9ccd9cb8d76b) |
>
> | key_name | -
> |
>
> | metadata | {}
> |
>
> | name | vm1
> |
>
> | os-extended-volumes:volumes_attached | []
> |
>
> | progress | 0
> |
>
> | security_groups | default
> |
>
> | status | BUILD
> |
>
> | tenant_id | 55ec74628b004fedbef9b8cad130a442
> |
>
> | updated | 2014-10-05T23:03:36Z
> |
>
> | user_id | 8ad8cd428ac94cd1a888d4372a61cabc
> |
>
> +--------------------------------------+----------------------------------------------------------------+
>
> localadmin at qa4:~/devstack$ nova list
>
> +--------------------------------------+------+--------+------------+-------------+-------------------+
>
> | ID | Name | Status | Task State | Power
> State | Networks |
>
> +--------------------------------------+------+--------+------------+-------------+-------------------+
>
> | c308e2a1-1763-4d05-84ed-8fcf5f02abab | vm1 | ACTIVE | - |
> Running | public=172.24.4.4 |
>
> +--------------------------------------+------+--------+------------+-------------+-------------------+
>
> localadmin at qa4:~/devstack$ nova boot --image cirros-0.3.2-x86_64-uec
> --flavor 1 --nic net-id=94d1e13c-cebc-419d-af06-49e6b4f01304 vm2
>
> +--------------------------------------+----------------------------------------------------------------+
>
> | Property | Value
> |
>
> +--------------------------------------+----------------------------------------------------------------+
>
> | OS-DCF:diskConfig | MANUAL
> |
>
> | OS-EXT-AZ:availability_zone | nova
> |
>
> | OS-EXT-SRV-ATTR:host | -
> |
>
> | OS-EXT-SRV-ATTR:hypervisor_hostname | -
> |
>
> | OS-EXT-SRV-ATTR:instance_name | instance-0000000b
> |
>
> | OS-EXT-STS:power_state | 0
> |
>
> | OS-EXT-STS:task_state | scheduling
> |
>
> | OS-EXT-STS:vm_state | building
> |
>
> | OS-SRV-USG:launched_at | -
> |
>
> | OS-SRV-USG:terminated_at | -
> |
>
> | accessIPv4 |
> |
>
> | accessIPv6 |
> |
>
> | adminPass | fLQ7xn8pgAhc
> |
>
> | config_drive |
> |
>
> | created | 2014-10-05T23:04:09Z
> |
>
> | flavor | m1.tiny (1)
> |
>
> | hostId |
> |
>
> | id |
> 536a509f-7941-466a-9508-ce26f599f10a |
>
> | image | cirros-0.3.2-x86_64-uec
> (ea46d1d4-6c10-4f91-96e3-9ccd9cb8d76b) |
>
> | key_name | -
> |
>
> | metadata | {}
> |
>
> | name | vm2
> |
>
> | os-extended-volumes:volumes_attached | []
> |
>
> | progress | 0
> |
>
> | security_groups | default
> |
>
> | status | BUILD
> |
>
> | tenant_id | 55ec74628b004fedbef9b8cad130a442
> |
>
> | updated | 2014-10-05T23:04:09Z
> |
>
> | user_id | 8ad8cd428ac94cd1a888d4372a61cabc
> |
>
> +--------------------------------------+----------------------------------------------------------------+
>
> localadmin at qa4:~/devstack$ nova list
>
> +--------------------------------------+------+--------+------------+-------------+-------------------+
>
> | ID | Name | Status | Task State | Power
> State | Networks |
>
> +--------------------------------------+------+--------+------------+-------------+-------------------+
>
> | c308e2a1-1763-4d05-84ed-8fcf5f02abab | vm1 | ACTIVE | - |
> Running | public=172.24.4.4 |
>
> | 536a509f-7941-466a-9508-ce26f599f10a | vm2 | ACTIVE | - |
> Running | private=10.0.0.9 |
>
> +--------------------------------------+------+--------+------------+-------------+—————————+
>
>
> And as user demo, I can only attach the private network to an instance.
>
>
> localadmin at qa4:~/devstack$ source openrc demo demo
>
> localadmin at qa4:~/devstack$ neutron net-list
>
> +--------------------------------------+---------+--------------------------------------------------+
>
> | id | name | subnets
> |
>
> +--------------------------------------+---------+--------------------------------------------------+
>
> | 2d113f8c-d742-4f2f-8cf2-a8e56749d51d | public |
> ab40f80e-aaf6-43ab-a1da-92f8ac7f7246 |
>
> | 94d1e13c-cebc-419d-af06-49e6b4f01304 | private |
> 1265bbd4-e775-4d9b-a7d5-498848c09b37 10.0.0.0/24 |
>
> +--------------------------------------+---------+--------------------------------------------------+
>
> localadmin at qa4:~/devstack$ nova boot --image cirros-0.3.2-x86_64-uec
> --flavor 1 --nic net-id=94d1e13c-cebc-419d-af06-49e6b4f01304 cirros-1
>
> +--------------------------------------+----------------------------------------------------------------+
>
> | Property | Value
> |
>
> +--------------------------------------+----------------------------------------------------------------+
>
> | OS-DCF:diskConfig | MANUAL
> |
>
> | OS-EXT-AZ:availability_zone | nova
> |
>
> | OS-EXT-STS:power_state | 0
> |
>
> | OS-EXT-STS:task_state | scheduling
> |
>
> | OS-EXT-STS:vm_state | building
> |
>
> | OS-SRV-USG:launched_at | -
> |
>
> | OS-SRV-USG:terminated_at | -
> |
>
> | accessIPv4 |
> |
>
> | accessIPv6 |
> |
>
> | adminPass | gYHta22xTK9a
> |
>
> | config_drive |
> |
>
> | created | 2014-10-05T23:17:28Z
> |
>
> | flavor | m1.tiny (1)
> |
>
> | hostId |
> |
>
> | id |
> 791ad866-420d-4e32-baad-b34f0b6e50d1 |
>
> | image | cirros-0.3.2-x86_64-uec
> (ea46d1d4-6c10-4f91-96e3-9ccd9cb8d76b) |
>
> | key_name | -
> |
>
> | metadata | {}
> |
>
> | name | cirros-1
> |
>
> | os-extended-volumes:volumes_attached | []
> |
>
> | progress | 0
> |
>
> | security_groups | default
> |
>
> | status | BUILD
> |
>
> | tenant_id | 51dcdd7f6f6545bd8bb49aeb556dab48
> |
>
> | updated | 2014-10-05T23:17:28Z
> |
>
> | user_id | 57a3f7eefcff4a37b064938ebf7335da
> |
>
> +--------------------------------------+----------------------------------------------------------------+
>
> localadmin at qa4:~/devstack$ nova list
>
> +--------------------------------------+----------+--------+------------+-------------+-------------------+
>
> | ID | Name | Status | Task State |
> Power State | Networks |
>
> +--------------------------------------+----------+--------+------------+-------------+-------------------+
>
> | 791ad866-420d-4e32-baad-b34f0b6e50d1 | cirros-1 | ACTIVE | - |
> Running | private=10.0.0.12 |
>
> +--------------------------------------+----------+--------+------------+-------------+-------------------+
>
> localadmin at qa4:~/devstack$ nova boot --image cirros-0.3.2-x86_64-uec
> --flavor 1 --nic net-id=2d113f8c-d742-4f2f-8cf2-a8e56749d51d cirros-2
>
> +--------------------------------------+----------------------------------------------------------------+
>
> | Property | Value
> |
>
> +--------------------------------------+----------------------------------------------------------------+
>
> | OS-DCF:diskConfig | MANUAL
> |
>
> | OS-EXT-AZ:availability_zone | nova
> |
>
> | OS-EXT-STS:power_state | 0
> |
>
> | OS-EXT-STS:task_state | scheduling
> |
>
> | OS-EXT-STS:vm_state | building
> |
>
> | OS-SRV-USG:launched_at | -
> |
>
> | OS-SRV-USG:terminated_at | -
> |
>
> | accessIPv4 |
> |
>
> | accessIPv6 |
> |
>
> | adminPass | aZRHa3ZgQAHP
> |
>
> | config_drive |
> |
>
> | created | 2014-10-05T23:18:13Z
> |
>
> | flavor | m1.tiny (1)
> |
>
> | hostId |
> |
>
> | id |
> 6ffd8081-8659-40b3-b7c2-dc6746855692 |
>
> | image | cirros-0.3.2-x86_64-uec
> (ea46d1d4-6c10-4f91-96e3-9ccd9cb8d76b) |
>
> | key_name | -
> |
>
> | metadata | {}
> |
>
> | name | cirros-2
> |
>
> | os-extended-volumes:volumes_attached | []
> |
>
> | progress | 0
> |
>
> | security_groups | default
> |
>
> | status | BUILD
> |
>
> | tenant_id | 51dcdd7f6f6545bd8bb49aeb556dab48
> |
>
> | updated | 2014-10-05T23:18:13Z
> |
>
> | user_id | 57a3f7eefcff4a37b064938ebf7335da
> |
>
> +--------------------------------------+----------------------------------------------------------------+
>
> localadmin at qa4:~/devstack$ nova list
>
> +--------------------------------------+----------+--------+------------+-------------+-------------------+
>
> | ID | Name | Status | Task State |
> Power State | Networks |
>
> +--------------------------------------+----------+--------+------------+-------------+-------------------+
>
> | 791ad866-420d-4e32-baad-b34f0b6e50d1 | cirros-1 | ACTIVE | - |
> Running | private=10.0.0.12 |
>
> | 6ffd8081-8659-40b3-b7c2-dc6746855692 | cirros-2 | ERROR | - |
> NOSTATE | |
>
> +--------------------------------------+----------+--------+------------+-------------+—————————+
>
>
>
> Is this the expected behavior?
>
>
> Thanks,
>
> Danny
>
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
--
Akihiro Motoki <amotoki at gmail.com>
More information about the Openstack
mailing list