provider network creation by project admin
Dears,
there is project called 'bush' in my test lab and user 'bush' which has admin privileges just in this project:
Adding role admin to user bush in project bush:
doka@lagavulin:~/heat$ osadm role add --user bush --project bush admin Wrapping "openstack role add --user bush --project bush admin" in project "admin" as "doka" [ ... ] doka@lagavulin:~/heat$ osadm role assignment list --user bush Wrapping "openstack role assignment list --user bush" in project "admin" as "doka" +---------------------+----------------------------------+----------------------------------+ | Role | User | Project | +---------------------+----------------------------------+----------------------------------+ | 2106ec01459143419e306e14292559ab | d898c45e63c846beac5848d2df79b15b | 53937a6b4bab4aa995e3ebc36c12b36e | +---------------------+----------------------------------+----------------------------------+ doka@lagavulin:~/heat$ osadm role list |grep 2106ec | 2106ec01459143419e306e14292559ab | admin doka@lagavulin:~/heat$ osadm user list |grep d898 | d898c45e63c846beac5848d2df79b15b | bush doka@lagavulin:~/heat$ osadm project list |grep 53937 | 53937a6b4bab4aa995e3ebc36c12b36e | bush
so - user 'bush' has the only role - 'admin' in the only project 'bush'. But openstack allows this user to create provider network, while this user has no rights outside his project:
Wrapping "openstack network show bushnet" in bush +---------------------------+--------------------------------------+ | Field | Value | +---------------------------+--------------------------------------+ | admin_state_up | UP | | availability_zone_hints | | | availability_zones | | | created_at | 2017-03-14T15:52:32Z | | description | | | dns_domain | | | id | 51d4c774-4f97-4a2f-843c-fc5b352d09b2 | | ipv4_address_scope | None | | ipv6_address_scope | None | | is_default | False | | mtu | 1500 | | name | bushnet | | port_security_enabled | True | | project_id | 53937a6b4bab4aa995e3ebc36c12b36e | | provider:network_type | vlan | | provider:physical_network | additional | | provider:segmentation_id | 155 | | qos_policy_id | None | | revision_number | 4 | | router:external | External | | segments | None | | shared | True | | status | ACTIVE | | subnets | | | updated_at | 2017-03-14T15:52:32Z | +---------------------------+--------------------------------------+
while documentation clearly say that "By default only administrators can create or update provider networks because they require configuration of physical network infrastructure." and policy.json contains corresponding entries:
"create_network:router:external": "rule:admin_only",
"create_network:is_default": "rule:admin_only",
"create_network:segments": "rule:admin_only",
"create_network:provider:network_type": "rule:admin_only",
"create_network:provider:physical_network": "rule:admin_only",
"create_network:provider:segmentation_id": "rule:admin_only", So, the question is - whether admin of any project can grab provider resource (in this case - it's VLAN) when he wants without any negotiations with provider?
Thanks!
Not sure what you mean by "without any negotiations with provider", but yes - once you have the admin role, you can do anything an admin can do, including setting up external networks. For finer-grained permissions you need to tweak the policy.
I mean that admin of ordinary project can grab resources of physical network (in my example - vlan for network). Is it ok?
The admin can create an OpenStack resource named "provider network". This doesn't mean "grabbing physical resources". OpenStack resources are mapped to physical resources by the deployer of the cloud, via configuration files.
Sure, I defined vlan range in config files. The question was about who can use this. It seems there is no notion 'project admin', there are admins (of entire Openstack) and other users. https://ask.openstack.org/en/question...
Anything that has to do with the infrastructure underlying the cloud is not supposed to be touched, or even seen, by project members. Think of it - any changes to the infrastructure potentially affect all projects. Only the people who manage the cloud can have access.