[Openstack] Help with hardcoded project_id query_filter in neutron when not admin

Johan Jatko armedguy at ludd.ltu.se
Fri Aug 17 10:09:06 UTC 2018


I got a problem with neutron-server, and I am not sure if I should 
consider it a bug, a platform limitation, or a future improvement.

My scenario is that I want to allocate floating ips from project "admin" 
to project "project1".
On project admin, I have an external network, and a router connecting 
the external network "external" and a internal network "access-network"

"access-network" is shared to "user1".

When a user in "project1" (non-admin) tries to assign floating ip to an 
instance that is connected to "access-network", the returned error is 
"Router {ID} could not be found".

Letting our projects create their own routers on the external network 
wastes a lot of IPs for us, so we would like to use a shared router.

After debugging I have found out that this is due to a check in 
neutron/_model_query.py in query_with_hooks that checks if the current 
context is service or admin, and IF NOT, adds a query_filter that limits 
the query to the current project.

This seems by design but I cannot for the life of me understand why the 
policy system cannot enforce this instead (or the rbac system?).

For now I have decided to just patch it myself and push the change to my 
cluster, but it would be interesting to hear if there are any design 
decisions for it.

Johan Jatko
LuleƄ Academic Computer Society

More information about the Openstack mailing list