Ask Your Question
1

provider network creation by project admin

asked 2017-03-14 15:44:42 -0500

doka.ua gravatar image

updated 2017-03-15 05:44:17 -0500

Dears,

there is project called 'bush' in my test lab and user 'bush' which has admin privileges just in this project:

Adding role admin to user bush in project bush:

doka@lagavulin:~/heat$ osadm role add --user bush --project bush admin
Wrapping "openstack role add --user bush --project bush admin" in project "admin" as "doka"
[ ... ]
doka@lagavulin:~/heat$ osadm role assignment list --user bush
Wrapping "openstack role assignment list --user bush" in project "admin" as "doka"
+---------------------+----------------------------------+----------------------------------+
| Role                | User                             | Project                          |
+---------------------+----------------------------------+----------------------------------+
| 2106ec01459143419e306e14292559ab | d898c45e63c846beac5848d2df79b15b | 53937a6b4bab4aa995e3ebc36c12b36e |
+---------------------+----------------------------------+----------------------------------+

doka@lagavulin:~/heat$ osadm role list |grep 2106ec
| 2106ec01459143419e306e14292559ab | admin

doka@lagavulin:~/heat$ osadm user list |grep d898  
| d898c45e63c846beac5848d2df79b15b | bush

doka@lagavulin:~/heat$ osadm project list |grep 53937
| 53937a6b4bab4aa995e3ebc36c12b36e | bush

so - user 'bush' has the only role - 'admin' in the only project 'bush'. But openstack allows this user to create provider network, while this user has no rights outside his project:

Wrapping "openstack network show bushnet" in bush                                                                                                                         
+---------------------------+--------------------------------------+
| Field                     | Value                                |
+---------------------------+--------------------------------------+
| admin_state_up            | UP                                   |
| availability_zone_hints   |                                      |
| availability_zones        |                                      |
| created_at                | 2017-03-14T15:52:32Z                 |
| description               |                                      |
| dns_domain                |                                      |
| id                        | 51d4c774-4f97-4a2f-843c-fc5b352d09b2 |
| ipv4_address_scope        | None                                 |
| ipv6_address_scope        | None                                 |
| is_default                | False                                |
| mtu                       | 1500                                 |
| name                      | bushnet                              |
| port_security_enabled     | True                                 |
| project_id                | 53937a6b4bab4aa995e3ebc36c12b36e     |
| provider:network_type     | vlan                                 |
| provider:physical_network | additional                           |
| provider:segmentation_id  | 155                                  |
| qos_policy_id             | None                                 |
| revision_number           | 4                                    |
| router:external           | External                             |
| segments                  | None                                 |
| shared                    | True                                 |
| status                    | ACTIVE                               |
| subnets                   |                                      |
| updated_at                | 2017-03-14T15:52:32Z                 |
+---------------------------+--------------------------------------+

while documentation clearly say that "By default only administrators can create or update provider networks because they require configuration of physical network infrastructure." and policy.json contains corresponding entries:

    "create_network:router:external": "rule:admin_only",
    "create_network:is_default": "rule:admin_only",
    "create_network:segments": "rule:admin_only",
    "create_network:provider:network_type": "rule:admin_only",
    "create_network:provider:physical_network": "rule:admin_only",
    "create_network:provider:segmentation_id": "rule:admin_only",

So, the question is - whether admin of any project can grab provider resource (in this case - it's VLAN) when he wants without any negotiations with provider?

Thanks!

edit retag flag offensive close merge delete

Comments

Not sure what you mean by "without any negotiations with provider", but yes - once you have the admin role, you can do anything an admin can do, including setting up external networks. For finer-grained permissions you need to tweak the policy.

Bernd Bausch gravatar imageBernd Bausch ( 2017-03-14 23:07:08 -0500 )edit

I mean that admin of ordinary project can grab resources of physical network (in my example - vlan for network). Is it ok?

doka.ua gravatar imagedoka.ua ( 2017-03-15 03:12:52 -0500 )edit

The admin can create an OpenStack resource named "provider network". This doesn't mean "grabbing physical resources". OpenStack resources are mapped to physical resources by the deployer of the cloud, via configuration files.

Bernd Bausch gravatar imageBernd Bausch ( 2017-03-15 04:56:09 -0500 )edit

Sure, I defined vlan range in config files. The question was about who can use this. It seems there is no notion 'project admin', there are admins (of entire Openstack) and other users. https://ask.openstack.org/en/question...

doka.ua gravatar imagedoka.ua ( 2017-03-15 05:41:26 -0500 )edit

Anything that has to do with the infrastructure underlying the cloud is not supposed to be touched, or even seen, by project members. Think of it - any changes to the infrastructure potentially affect all projects. Only the people who manage the cloud can have access.

Bernd Bausch gravatar imageBernd Bausch ( 2017-03-15 06:16:38 -0500 )edit

1 answer

Sort by ยป oldest newest most voted
1

answered 2017-03-15 03:37:55 -0500

Vinoth gravatar image

AFAIK, there is nothing called admin user for the specific projects/tenants in OpenStack.

Any User with an admin role will act as an administrator for the entire OpenStack setup.

Only the user with member role can have restriction across other projects/tenants but the user with admin role will act as a global admin for the entire OpenStack setup. i.e., Admin role user can see all the VMs / networks /volume across all the tenants.

edit flag offensive delete link more

Comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2017-03-14 15:44:42 -0500

Seen: 59 times

Last updated: Mar 15 '17