With new secure RBAC external gateway ports can't be visible in the API
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Confirmed
|
Medium
|
Slawek Kaplonski |
Bug Description
After patch https:/
System admin can only access/modify system wide resources, like e.g. agents.
So basically there is no any "super user" who can access everything (which is good as this is one of the goals of the whole community goal IIRC).
The problem is with external gateway ports which are intentionally not assigned to any project thus aren't visible in the API even for PROJECT_ADMIN user.
I see 3 possible solutions for that:
1. We will somehow try to hardcode rule that for external_gateway ports device_id owner will be checked (like it's e.g. with parent_id for some resources) - I don't know how easy/hard it may be to do really but I think it's worth to explore,
2. We will change external gateway ports and they will have owner, which will be the same as owner of the router or
3. We will hard code something that for project admin users such external gateway ports will be displayed - but that means that each project admin will see external gateway ports used by all projects as all those ports don't belong to any project.
During today's drivers meeting we discussed that and we decided that we will add project_id to the external gateway ports and will also add policy rule so by default such ports will be visible only for the project_admin users.