Support Case reference: https://access.redhat.com/support/cases/#/case/04312122

Goal: 

The customer is looking to create a network administrator custom role to assign to network admins, instead of giving them full admin access. 

This is required for our multi-tenant environment where network administrators need to manage networks across different projects without full admin privileges.

This role must be capable of:

• -Creating network ports on shared or external networks with specific IP addresses
• -CRUD on RBAC policies when the type of network is VLAN Provider or Geneve

Product Version: Red Hat OpenStack Platform 17.1.4

Acceptance Criteria:

These are steps described by customer:

• Current Behavior

The current Neutron policy rules prevent non-admin users from creating ports with specific IP addresses on shared networks when they are not the network owner. This limitation blocks our use case.

• Current Policy Rules

The following are the current policy rules from our OpenStack deployment:

"create_port:fixed_ips": "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:shared""create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s""create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:shared"
```

• Proposed Solution

We propose to modify the policy rules to include `role:advanced-network-admin` in the allowed roles for:

-`create_port:fixed_ips`

-`create_port:fixed_ips:ip_address`

-`create_port:fixed_ips:subnet_id`

Additionally, we would like to grant the role permissions for:

-Network creation

-RBAC policy management (create, update, delete, get)

• Test Case: Reproducing the Issue

The following CLI commands demonstrate the current limitation and the expected behavior after the policy modification.

Step 1: Create Projects

• Source admin credentials

source admin-rc

• Create Project A

  openstack project create project-a \
    --description "Project A - Network Owner"

• Create Project B

  openstack project create project-b \
    --description "Project B - Network Consumer"

  Step 2: Create Network in Project A

• Switch to Project A context

export OS_PROJECT_NAME=project-a
export OS_PROJECT_DOMAIN_NAME=Default

• Create network in Project A

NETWORK_A_ID=$(openstack network create network-a \
  --project project-a \
  --share \
  --description "Shared network from Project A" \
  -f value -c id)

• Create subnet with port security and DHCP disabled, no allocation pool

SUBNET_A_ID=$(openstack subnet create subnet-a \
  --network $NETWORK_A_ID \
  --project project-a \
  --subnet-range 192.168.100.0/24 \
  --no-dhcp \
  --disable-port-security \
  -f value -c id)

echo "Network A ID: $NETWORK_A_ID"
echo "Subnet A ID: $SUBNET_A_ID"

Step 3: Share Network with Project B via RBAC

• Switch back to admin context

source admin-rc

• Create RBAC policy to share network with Project B

PROJECT_B_ID=$(openstack project show project-b -f value -c id)

openstack network rbac create \
  --type network \
  --action access_as_shared \
  --target-project $PROJECT_B_ID \
  $NETWORK_A_ID

echo "Network shared with Project B via RBAC"

Step 4: Create User in Project B

• Create user in Project B

openstack user create user-b \
  --project project-b \
  --password <password> \
  --email user-b@example.com

• Assign member role to user-b in project-b

openstack role add --project project-b --user user-b member

echo "User user-b created in Project B"

Step 5: Attempt to Create Port (Current Behavior - Fails)

• Switch to user-b context in Project B

export OS_USERNAME=user-b
export OS_PROJECT_NAME=project-b
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PASSWORD=<password>
export OS_AUTH_URL=<auth_url>

• Verify network is visible

openstack network show $NETWORK_A_ID

• Attempt to create port with specific IP address. THIS WILL FAIL with current policies

openstack port create test-port \
  --network $NETWORK_A_ID \
  --fixed-ip subnet=$SUBNET_A_ID,ip-address=192.168.100.10

Expected error: Forbidden: Policy doesn't allow create_port:fixed_ips:ip_address to be performed.

Step 6: Expected Behavior After Policy Modification

After modifying the policy to include `role:advanced-network-admin`, the following should work:

• Assign advanced-network-admin role to user-b

source admin-rc
openstack role add --project project-b --user user-b advanced-network-admin

• Switch back to user-b context

export OS_USERNAME=user-b
export OS_PROJECT_NAME=project-b
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PASSWORD=<password>
export OS_AUTH_URL=<auth_url>

• Now this should succeed

openstack port create test-port \
  --network $NETWORK_A_ID \
  --fixed-ip subnet=$SUBNET_A_ID,ip-address=192.168.100.10

• Expected: Port created successfully

We propose modifying the Neutron policy.json file as follows:

• Modified Policy Rules

"create_port:fixed_ips": "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:shared or role:advanced-network-admin"
"create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or role:advanced-network-admin"
"create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:shared or role:advanced-network-admin"

• Additional Policy Rules for Network and RBAC Management

"create_network": "rule:admin_or_owner or role:advanced-network-admin",
"create_network:shared": "rule:admin_only or role:advanced-network-admin",
"create_network:router:external": "rule:admin_only or role:advanced-network-admin",
"create_rbac_policy": "rule:admin_or_owner or role:advanced-network-admin",
"update_rbac_policy": "rule:admin_or_owner or role:advanced-network-admin",
"delete_rbac_policy": "rule:admin_or_owner or role:advanced-network-admin",
"get_rbac_policy": "rule:admin_or_owner or role:advanced-network-admin",
"get_rbac_policies": "rule:admin_or_owner or role:advanced-network-admin"

• Implementation Plan

1. Create the `advanced-network-admin` role using Keystone
2. Modify `/etc/neutron/policy.json` on all Neutron API nodes
3. Restart Neutron services to apply policy changes
4. Assign the role to appropriate users
5. Test the functionality using the test case above

• Risk Assessment

-{}Low Risk:{} Policy modifications are additive (adding a role check) and do not remove existing permissions

-{}Rollback:{} Easy to revert by removing the role checks from policy.json and restarting services

-{}Testing:{} Can be tested in a non-production environment first

• Support Request

We request Red Hat support to:
1. Review and approve this policy modification approach
2. Provide guidance on best practices for implementing custom roles in RHOSP 17
3. Confirm compatibility with future RHOSP updates
4. Document this as a supported configuration if approved

• Additional Information

-We understand that custom policy modifications may not be officially supported

-We are willing to test thoroughly before production deployment

-We can provide additional test cases or scenarios if needed
 

• Describe the impact to you or the business
  Right now we are using admin account for that, to get lower permissions we would like to get custom role.

We need to create a custom role that allows specific users to:
-Create network ports on shared or external networks with specific IP addresses

-Create ports on networks owned by other tenants/projects

-Create new networks and RBAC rules to share networks with other tenants|