Using OpenStack-ansible Yoga : as a user in OpenStack I can see all admin-created provider networks in Horizon Network-Topology but I cannot see any admin-created routers, not in the Horizon interface and not in the cli interface. Consequence is that, as a user, my network topology graph does not show me to which provider network I am connected too as there are no routers visible. The connection is there because I can reach the internet and, logged in as admin, I can see the interface from my private network hooked up to a router, which in turn is connected to a provider network. Even with the flag "shared" set to off these provider networks are visible. Routers do not even seem to have a flag "shared". How can I make these routers read-only visible for users ? All is working fine in our OpenStack cloud since Ussuri but this issue I cannot seem to solve.
Asked
Active
Viewed 43 times
1 Answers
0
Further looking into this, I think the answer lies in RBAC policies in OpenStack (see Horizon, Admin, Network, RBAC Policies) . The provider networks are visible to users because of RBAC policies that allow this. When you create a provider network and tag it as --external an RBAC policy is created with the action "access_as_external" and target_project_id the wildcard *, so every project can see these networks. It looks to me that for subnet and routers there are not even objects available for network RBAC policies.
Peter
- 1
- 1