Does network RBAC work in Newton?

asked 2016-11-30 05:24:30 -0600

updated 2016-11-30 05:30:55 -0600

I am trying this on a Newton master-based devstack. Policy:

ubuntu@ubuntu:~ [demo/demo] grep create_rbac_policy /etc/neutron/policy.json
    "create_rbac_policy": "",
    "create_rbac_policy:target_tenant": "rule:restrict_wildcard",

Any project should be able to share its networks with other projects. But it only works if admin executes the rbac create command. This is what I do:

  • As demo project, create a network
  • Share it with another project

Result: The other project can't see the shared network

ubuntu@ubuntu:~ [demo/demo] openstack network create nwshare
+-------------------------+--------------------------------------+
| Field                   | Value                                |
+-------------------------+--------------------------------------+
| admin_state_up          | UP                                   |
| availability_zone_hints |                                      |
| availability_zones      |                                      |
| created_at              | 2016-11-30T11:15:06Z                 |
| description             |                                      |
| headers                 |                                      |
| id                      | e1ac3dba-aa32-4f48-a892-d82a5b89a4d7 |
| ipv4_address_scope      | None                                 |
| ipv6_address_scope      | None                                 |
| mtu                     | 1450                                 |
| name                    | nwshare                              |
| port_security_enabled   | True                                 |
| project_id              | 77f0ce6bf4e746f2bb9bc7acebaecd0b     |
| qos_policy_id           | None                                 |
| revision_number         | 3                                    |
| router:external         | Internal                             |
| shared                  | False                                |
| status                  | ACTIVE                               |
| subnets                 |                                      |
| tags                    | []                                   |
| updated_at              | 2016-11-30T11:15:06Z                 |
+-------------------------+--------------------------------------+
ubuntu@ubuntu:~ [demo/demo] openstack network rbac create --action access_as_shared --type network --target-project myproject nwshare
+-------------------+--------------------------------------+
| Field             | Value                                |
+-------------------+--------------------------------------+
| action            | access_as_shared                     |
| headers           |                                      |
| id                | 8c23feab-a1e2-4df0-b1f7-80d2bec3c582 |
| object_id         | e1ac3dba-aa32-4f48-a892-d82a5b89a4d7 |
| object_type       | network                              |
| project_id        | 77f0ce6bf4e746f2bb9bc7acebaecd0b     |
| project_id        | 77f0ce6bf4e746f2bb9bc7acebaecd0b     |
| target_project_id | myproject                            |
+-------------------+--------------------------------------+
ubuntu@ubuntu:~ [demo/demo] . devstack//openrc myuser myproject
WARNING: setting legacy OS_TENANT_NAME to support cli tools.
ubuntu@ubuntu:~ [myuser/myproject] openstack network list
+------------------------------+------------------------+--------------------------------------+
| ID                           | Name                   | Subnets                              |
+------------------------------+------------------------+--------------------------------------+
| 6b6a7806-ad75-4d1d-802b-d... | auto_allocated_network | 4334ba3c-f91c-4d71-801f-92580f5c4639 |
| a2ae61ac-909a-44ca-9b86-a... | public                 | 2010c45e-1055-4246-a269-38bdb9fe4971 |
+------------------------------+------------------------+--------------------------------------+

This is not expected. What if I am admin?

ubuntu@ubuntu:~ [myuser/myproject] . devstack/openrc  admin admin
WARNING: setting legacy OS_TENANT_NAME to support cli tools.
ubuntu@ubuntu:~ [admin/admin] openstack network rbac delete 8c23feab-a1e2-4df0-b1f7-80d2bec3c582
ubuntu@ubuntu:~ [admin/admin] openstack network rbac create --action access_as_shared --type network --target-project myproject --project demo nwshare
+-------------------+--------------------------------------+
| Field             | Value                                |
+-------------------+--------------------------------------+
| action            | access_as_shared                     |
| headers           |                                      |
| id                | caf57c0f-7f16-4bc8-8c57-de629587f6e0 |
| object_id         | e1ac3dba-aa32-4f48-a892-d82a5b89a4d7 |
| object_type       | network                              |
| project_id        | 77f0ce6bf4e746f2bb9bc7acebaecd0b     |
| project_id        | 77f0ce6bf4e746f2bb9bc7acebaecd0b     |
| target_project_id | e3b6eb6b338644e88465c08a85a66748     |
+-------------------+--------------------------------------+
ubuntu@ubuntu:~ [admin/admin] . devstack//openrc myuser myproject                                               
WARNING: setting legacy OS_TENANT_NAME to support cli tools.
ubuntu@ubuntu:~ [myuser/myproject] openstack network list                                                        
+------------------------------+------------------------+--------------------------------------+
| ID                           | Name                   | Subnets                              |
+------------------------------+------------------------+--------------------------------------+
| 6b6a7806-ad75-4d1d-802b-d... | auto_allocated_network | 4334ba3c-f91c-4d71-801f-92580f5c4639 |
| a2ae61ac-909a-44ca-9b86-a... | public                 | 2010c45e-1055-4246-a269-38bdb9fe4971 |
| e1ac3dba-aa32-4f48-a892-d... | nwshare                |                                      |
+----------------------------------+------------------------+--------------------------------------+
edit retag flag offensive close merge delete