Can a non-admin add a fixed floating ip from Heat [closed]

asked 2017-06-06

updated 2017-06-08

Looking at the doco for OS::Neutron::FloatingIP

The default policy setting in Neutron restricts usage of this property to administrative users only.

As the admin user I have allocated some foating IPs to my project. And these unused floating ips are available (not assigned to any ports / instances) in my (non admin) project ..

As the (non admin) project user I can run server add floating ip <VM> 172.x.y.62 and successfully add the specific one of these floating ip to my running instance.

Just wondering if there is a doing this in heat ? ie, assigning a specific (existing) floating IP in Heat (that has already been allocated to my project) or do need to tweak some permissions somewhere ? Thanks heaps in advance !!

I've tried this

    type: OS::Neutron::FloatingIP
      floating_network: public
      port_id: { get_resource: dmzhost-port }
      floating_ip_address: 172.x.y.62

but it fails with.. (its trying to create a new floating ip - not assign an existing one ?)

2017-06-06 22:37:59Z [net.dmzhost-port-floating-ip]: CREATE_FAILED  Forbidden: resources.dmzhost-port-floating-ip: {'description': '', 'subnet_id': None, 'tenant_id': u'4739ddaec8f1460b9a886d676f2e33eb', u'floating_network_id': u'88ad5648-62ee-4c3a-8cf1-8299573b4878', 'fixed_ip_address': None, u'floating_ip_address': u'17
2 answers

answered 2017-06-06

updated 2017-06-07

Your example confuses creation of a new Floating IP with adding an existing Floating IP to a port/instance.

The doc is in line with Neutron's Floating IP API:

Default policy settings enable only administrative users to set floating IP addresses and some non-administrative users might require a floating IP address. If you do not specify a floating IP address in the request, the operation automatically allocates one

Which means, IMO, that a normal user can't request a specific IP address and must accept whatever address the system allocates.

EDIT: To add an existing Floating IP to a server, use the OS::Nova::Server resource. Example from the doc:

   type: OS::Nova::Server
            networks: [{"floating_ip": String, "port": String, "network": String, ...
Thanks for the reply Bernd .. I was wondering if if the Heat syntax was trying to create a new one..

As the admin I have already allocated some floating ips to my project. (I will add this to the question description as its probably quite relevant.) And I can choose one of these specific address (as the proejct user) whan using the CLI : server add floating ip dmzhost 172.x.y.62 ..

I updated my answer.

Thanks Bernd !! its working !! :-) I had to use the floating-ip "uuid". I'm now also directly set the fixed ip .. which allowed me to remove the port definition.. which is nice..

    - subnet:  dmz-sub
      floating_ip: 09c37...
There's also OS::Neutron::FloatingIPAssociation if you prefer.

answered 2017-06-06

It depends on your permissions in Neutron's policy.json.

Nothing in Heat will enforce it as far as I know, it will just fail when it calls Neutron if you don't have permissions.

Thanks (again!!) Zaneb - At face value it looks to me like heat is enforcing something.. as heat definitely fails but CLI: server add floating ip dmzhost x.x.x.x works fine .. (as the same (non admin) project/tenant/user) .. I will add some more detail to my question. Thanks again ! :-)

