[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Openstack] Help with hardcoded project_id query_filter in neutron when not admin


I got a problem with neutron-server, and I am not sure if I should 
consider it a bug, a platform limitation, or a future improvement.

My scenario is that I want to allocate floating ips from project "admin" 
to project "project1".
On project admin, I have an external network, and a router connecting 
the external network "external" and a internal network "access-network"

"access-network" is shared to "user1".

When a user in "project1" (non-admin) tries to assign floating ip to an 
instance that is connected to "access-network", the returned error is 
"Router {ID} could not be found".

Letting our projects create their own routers on the external network 
wastes a lot of IPs for us, so we would like to use a shared router.

After debugging I have found out that this is due to a check in 
neutron/ in query_with_hooks that checks if the current 
context is service or admin, and IF NOT, adds a query_filter that limits 
the query to the current project.

This seems by design but I cannot for the life of me understand why the 
policy system cannot enforce this instead (or the rbac system?).

For now I have decided to just patch it myself and push the change to my 
cluster, but it would be interesting to hear if there are any design 
decisions for it.

Johan Jatko
Luleå Academic Computer Society