Ask Your Question
0

Tenant not allow to net-create with provider:physical_network

asked 2015-01-01 12:53:16 -0500

Caguax gravatar image

I have a tenant that I will like to allow it to create a net and choose the physical_network. When I provide the following command I get and error.

neutron net-create caguax-net2 --provider:physical_network n7k Forbidden (HTTP 403) (Request-ID: req-9fba7161-f212-4964-b545-60fee51dd2bc)

2015-01-01 13:48:07.937 4048 INFO neutron.wsgi [-] (4048) accepted ('10.0.236.102', 49739) 2015-01-01 13:48:07.983 4048 INFO neutron.api.v2.resource [req-127d8ca5-ae98-4b14-bb82-fef233f839ea None] create failed (client error): Policy doesn't allow create_network to be performed. 2015-01-01 13:48:07.983 4048 INFO neutron.wsgi [req-127d8ca5-ae98-4b14-bb82-fef233f839ea None] 10.0.236.102 - - [01/Jan/2015 13:48:07] "POST /v2.0/networks.json HTTP/1.1" 403 327 0.045769

if I use this it does work but it chooses a random provider from my config

[ml2_type_vlan] network_vlan_ranges = pub:20:20,n3k:21:22,n7k:23:24,aci:25:26

[root@os-aio-pod2 ~(keystone_caguax)]$ neutron net-create caguax-net2 Created a new network: +-----------------+--------------------------------------+ | Field | Value | +-----------------+--------------------------------------+ | admin_state_up | True | | id | 6442493f-fae1-4d1c-8b46-a8dd60c78002 | | name | caguax-net2 | | router:external | False | | shared | False | | status | ACTIVE | | subnets | | | tenant_id | 23f96133022a48078f500697a8677df5 | +-----------------+--------------------------------------+ [root@os-aio-pod2 ~(keystone_caguax)]$

how can I allow the tenant to choose the provider?

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
0

answered 2015-01-01 21:29:04 -0500

Default policy for Neutron only allows admin to create networks with provider tag.

You can edit /etc/neutron/policy.json to allow none admin users to create networks with provider tags.

"create_network:provider:physical_network": "rule:admin_only"

See reference here : http://docs.openstack.org/juno/config...

edit flag offensive delete link more

Comments

Thanks...that did the trick

Caguax gravatar imageCaguax ( 2015-01-02 08:24:52 -0500 )edit

Can check that it was answered please so the question can be closed. Thanks.

sfcloudman gravatar imagesfcloudman ( 2015-01-03 21:34:56 -0500 )edit

I don't see how this rule could work to enable a tenant to create networks without being upgraded to an admin role?

visibilityspots gravatar imagevisibilityspots ( 2015-11-17 09:53:34 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2015-01-01 12:53:16 -0500

Seen: 2,717 times

Last updated: Jan 01 '15