networking-bgpvpn

admin cannot associate net on behalf of a tenant

Bug #1512711 reported by Mathieu Rohon
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
networking-bgpvpn
Fix Released
High
Mathieu Rohon
networking-bgpvpn 3.0.0

Bug Description

the following command is failing while run with cloud admin credentials :

#neutron bgpvpn-net-assoc-create --tenant-id 'tenant-id' --network 'net-id' 'bgpvpn-id'

It works properly when run with tenant credential

Mathieu Rohon (mathieu-rohon)
Changed in bgpvpn:
importance: Undecided → High
Revision history for this message
Thomas Morin (tmmorin-orange) wrote :
Download full text (3.7 KiB)

Works for me:

stack@tm-devstack01:~$ source openrc admin

stack@tm-devstack01:~$ neutron net-create netfoo
Created a new network:
+---------------------------+--------------------------------------+
| Field | Value |
 +---------------------------+--------------------------------------+
| admin_state_up | True |
| id | 1268a2b4-f0cb-4f01-b1e4-033cbe21eee9 |
| mtu | 0 |
| name | netfoo |
| port_security_enabled | True |
| provider:network_type | vxlan |
| provider:physical_network | |
| provider:segmentation_id | 1040 |
| router:external | False |
| shared | False |
| status | ACTIVE |
| subnets | |
| tenant_id | cc432618b9fa4275b324346b9f8a4398 |
 +---------------------------+--------------------------------------+
stack@tm-devstack01:~$ neutron bgpvpn-create --route-targets 64512:77
Created a new bgpvpn:
+----------------------+--------------------------------------+
| Field | Value |
 +----------------------+--------------------------------------+
| auto_aggregate | True |
| export_targets | |
| id | 9b6b6e34-85d1-4a1a-b0b2-5ce336fb8075 |
| import_targets | |
| name | |
| networks | |
| route_distinguishers | |
| route_targets | 64512:77 |
| tenant_id | cc432618b9fa4275b324346b9f8a4398 |
| type | l3 |
 +----------------------+--------------------------------------+
stack@tm-devstack01:~$ neutron bgpvpn-list
+--------------------------------------+------+------+---------------+----------------+----------------+----------------------------------+----------+
| id | name | type | route_targets | import_targets | export_targets | tenant_id | networks |
 +--------------------------------------+------+------+---------------+----------------+----------------+----------------------------------+----------+
| 9b6b6e34-85d1-4a1a-b0b2-5ce336fb8075 | | l3 | [u'64512:77'] | [] | [] | cc432618b9fa4275b324346b9f8a4398 | [] |
 +--------------------------------------+------+------+---------------+----------------+----------------+---------------------...

Read more...

Revision history for this message
Thomas Morin (tmmorin-orange) wrote :

This does not work however:

stack@tm-devstack01:~$ source openrc admin admin
stack@tm-devstack01:~$ neutron bgpvpn-create --route-targets 64512:77 --tenant-id cc432618b9fa4275b324346b9f8a4398
Created a new bgpvpn:
+----------------------+--------------------------------------+
| Field | Value |
 +----------------------+--------------------------------------+
| auto_aggregate | True |
| export_targets | |
| id | 40fd4ad6-aac7-46c3-ada1-ac6c92d7ccf8 |
| import_targets | |
| name | |
| networks | |
| route_distinguishers | |
| route_targets | 64512:77 |
| tenant_id | cc432618b9fa4275b324346b9f8a4398 |
| type | l3 |
 +----------------------+--------------------------------------+
stack@tm-devstack01:~$
stack@tm-devstack01:~$ neutron bgpvpn-net-assoc-create 40fd4ad6-aac7-46c3-ada1-ac6c92d7ccf8 --network netfoo
Not authorized.

So the admin can do an association, but has to do that in the context of the tenant.
Is is an issue ?

Revision history for this message
Mathieu Rohon (mathieu-rohon) wrote :

what is happening is that when the admin creates a net-assoc without specifying the --tenant-id, the neutron framework will add the admin tenant id to the resource dict, used to create the net-assoc.

The bgpvpn plugin checks that the tenant-id of the net-assoc is the same as the one of the bgpvpn and the one of the network. Since they are different, it returns a 403 exception.

So when the admin wants to to create a net-assoc on behalf of a tenant, it has to explicitly specify the --tenant-id parameter. Otherwise it can send the command in the tenant context, as thomas did previously.

Unfortunatly, the neutron-client doesn't display the error message returned by the plugin. I leave the bug open to find a way to have a more explicit message for the end user.

Mathieu Rohon (mathieu-rohon)
Changed in bgpvpn:
status: New → Confirmed
Revision history for this message
Mathieu Rohon (mathieu-rohon) wrote :

The bug is also valid because even if the admin specifies the tenant-id parameter in a client request, the client doesn't populate the submitted tenant_id in the REST request.

Revision history for this message
Mathieu Rohon (mathieu-rohon) wrote :

https://review.openstack.org/#/c/242437/

Changed in bgpvpn:
assignee: nobody → Mathieu Rohon (mathieu-rohon)
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to networking-bgpvpn (master)

Reviewed: https://review.openstack.org/242437
Committed: https://git.openstack.org/cgit/openstack/networking-bgpvpn/commit/?id=caad274f140027ed5d8bc2e618a02939178c83e7
Submitter: Jenkins
Branch: master

commit caad274f140027ed5d8bc2e618a02939178c83e7
Author: Mathieu Rohon <email address hidden>
Date: Thu Nov 5 18:13:48 2015 +0000

    Client : adding the tenant-id if specified for a net association creation

    Currently the client doesn't add the tenant_id in its request.
    If the tenant_id is specified in the CLI, it has to be integrated
    in the request sent by the client.

    This is at least needed when a tenant wants to create a network
    association on behalf of a tenant.

    Closes-bug: #1512711

    Change-Id: I9e1038372d1ba36ad6e3d6ca8339d4fa03471a53

Changed in bgpvpn:
status: In Progress → Fix Committed
Mathieu Rohon (mathieu-rohon)
Changed in bgpvpn:
milestone: none → liberty
Mathieu Rohon (mathieu-rohon)
Changed in bgpvpn:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.