OpenStack Neutron API Charm

ha routers can only be created by admins

Bug #1826501 reported by Wouter van Bommel on 2019-04-26

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Neutron API Charm	Triaged	Wishlist	Unassigned

Bug Description

With the default policy.json, it's only possible for openstack admin users to create ha routers.

It would be useful to have this configurable, so we can also choose of the option to let an regular user create ha-routers, just as a regular user can create a non ha router already.

The relevant piece in policy.json

    "get_router:ha": "rule:admin_only",
    "create_router": "rule:regular_user",
    "create_router:external_gateway_info:enable_snat": "rule:admin_only",
    "create_router:distributed": "rule:admin_only",
    "create_router:ha": "rule:admin_only",
    "get_router": "rule:admin_or_owner",
    "get_router:distributed": "rule:admin_only",
    "update_router:external_gateway_info:enable_snat": "rule:admin_only",
    "update_router:distributed": "rule:admin_only",
    "update_router:ha": "rule:admin_only",
    "delete_router": "rule:admin_or_owner",

Tags:

Wouter van Bommel (woutervb) on 2019-04-26

tags:	added: bootstack-is
tags:	added: canonical-is-bootstack removed: bootstack-is
tags:	added: canonical-bootstack removed: canonical-is-bootstack

Revision history for this message

Sahid Orentino (sahid-ferdjaoui) wrote on 2019-04-26:

Looks to be a reasonable ask. An operator should be able to choose whether regular users can create ha routers.

I think we currently only refer to the policy.json installed from the package, the charm does not touch that file. I'm going to ask team whether it's something we could provide or if it's expected to have operator updating the file by itself.

Changed in charm-neutron-api:
importance:	Undecided → Wishlist
status:	New → Opinion

Sahid Orentino (sahid-ferdjaoui) on 2019-04-26

Changed in charm-neutron-api:
status:	Opinion → Triaged

Revision history for this message

Dmitrii Shcherbakov (dmitriis) wrote on 2019-04-26:

This is just one example out of many from my perspective. You would encounter the same with DVR routers and capabilities of other services besides Neutron.

"create_router:distributed": "rule:admin_only",

There is certainly a trade-off with adding a lot of per-use-case options to individual charms and allowing custom policy.d drop-ins to be defined. I would at least consider the following lp & spec:

https://bugs.launchpad.net/charms.openstack/+bug/1741723
https://review.opendev.org/#/c/604238

Ryan Beisner (1chb1n) on 2019-12-10

tags:

added: custom-policy

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.