Allow service role more RBAC access for Octavia

tobias-urdin · ralonsoh · commit 67f9d4dc2632 · 2026-06-04T15:06:38.000Z
This updates the default RBAC rules for multiple resources to allow for a seamless integration with Octavia without having to give Octavia system scope admin in the entire cloud. The current use of the service role in the RBAC rules allows for pretty much all of the permissions that Octavia needs today except for a few. It needs get_subnet to be able to retrieve a subnet and check the details, this is low impact as we already allow get_network. It also needs get_network_ip_availability because it supports to automatically select a subnet (if none is given) on a network based on the amount of available IP addresses. The default Amphora compute driver for Octavia uses a keepalived and HAProxy implementation that uses unicast VRRP for the VIP address, this VIP address is added as an allowed address pair on the ports for the amphora compute instances so the VIP port itself is not bound. Octavia also depends on being able to populate the ``device_id`` field on a port which means it also needs this patch [1] together with this one. [1] https://review.opendev.org/c/openstack/neutron/+/947003 Closes-Bug: #2105502 Signed-off-by: Tobias Urdin <tobias.urdin@binero.com> Change-Id: I089999cece698af1a3b54d1341d9004d4108ae44 (cherry picked from commit 65b9dc6)
diff --git a/neutron/conf/policies/network_ip_availability.py b/neutron/conf/policies/network_ip_availability.py
@@ -24,7 +24,7 @@
 rules = [
     policy.DocumentedRuleDefault(
         name='get_network_ip_availability',
-        check_str=base.ADMIN,
+        check_str=base.ADMIN_OR_SERVICE,
         scope_types=['project'],
         description='Get network IP availability',
         operations=[
diff --git a/neutron/conf/policies/port.py b/neutron/conf/policies/port.py
@@ -258,7 +258,8 @@
         name='create_port:allowed_address_pairs',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_NET_OWNER_MEMBER,
-            base.PROJECT_MANAGER),
+            base.PROJECT_MANAGER,
+            base.SERVICE),
         scope_types=['project'],
         description=(
             'Specify ``allowed_address_pairs`` '
@@ -275,7 +276,8 @@
         name='create_port:allowed_address_pairs:mac_address',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_NET_OWNER_MEMBER,
-            base.PROJECT_MANAGER),
+            base.PROJECT_MANAGER,
+            base.SERVICE),
         scope_types=['project'],
         description=(
             'Specify ``mac_address` of `allowed_address_pairs`` '
@@ -292,7 +294,8 @@
         name='create_port:allowed_address_pairs:ip_address',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_NET_OWNER_MEMBER,
-            base.PROJECT_MANAGER),
+            base.PROJECT_MANAGER,
+            base.SERVICE),
         scope_types=['project'],
         description=(
             'Specify ``ip_address`` of ``allowed_address_pairs`` '
@@ -650,7 +653,8 @@
         name='update_port:allowed_address_pairs',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_NET_OWNER_MEMBER,
-            base.PROJECT_MANAGER),
+            base.PROJECT_MANAGER,
+            base.SERVICE),
         scope_types=['project'],
         description='Update ``allowed_address_pairs`` attribute of a port',
         operations=ACTION_PUT,
@@ -664,7 +668,8 @@
         name='update_port:allowed_address_pairs:mac_address',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_NET_OWNER_MEMBER,
-            base.PROJECT_MANAGER),
+            base.PROJECT_MANAGER,
+            base.SERVICE),
         scope_types=['project'],
         description=(
             'Update ``mac_address`` of ``allowed_address_pairs`` '
@@ -681,7 +686,8 @@
         name='update_port:allowed_address_pairs:ip_address',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_NET_OWNER_MEMBER,
-            base.PROJECT_MANAGER),
+            base.PROJECT_MANAGER,
+            base.SERVICE),
         scope_types=['project'],
         description=(
             'Update ``ip_address`` of ``allowed_address_pairs`` '
diff --git a/neutron/conf/policies/subnet.py b/neutron/conf/policies/subnet.py
@@ -126,6 +126,7 @@
             'rule:shared',
             'rule:external_network',
             base.ADMIN_OR_NET_OWNER_READER,
+            base.SERVICE,
         ),
         scope_types=['project'],
         description='Get a subnet',
diff --git a/neutron/tests/unit/conf/policies/test_network_ip_availability.py b/neutron/tests/unit/conf/policies/test_network_ip_availability.py
@@ -99,7 +99,7 @@ def setUp(self):
         self.context = self.service_ctx
 
     def test_get_network_ip_availability(self):
-        self.assertRaises(
-            base_policy.PolicyNotAuthorized,
-            policy.enforce,
-            self.context, 'get_network_ip_availability', self.target)
+        self.assertTrue(
+            policy.enforce(
+                self.context, 'get_network_ip_availability',
+                self.target))
diff --git a/neutron/tests/unit/conf/policies/test_port.py b/neutron/tests/unit/conf/policies/test_port.py
@@ -1811,25 +1811,22 @@ def test_create_port_with_binding_vnic_type(self):
                            'create_port:binding:vnic_type', self.target))
 
     def test_create_port_with_allowed_address_pairs(self):
-        self.assertRaises(
-            base_policy.PolicyNotAuthorized,
-            policy.enforce,
-            self.context, 'create_port:allowed_address_pairs',
-            self.target)
+        self.assertTrue(
+            policy.enforce(
+                self.context, 'create_port:allowed_address_pairs',
+                self.target))
 
     def test_create_port_with_allowed_address_pairs_and_mac_address(self):
-        self.assertRaises(
-            base_policy.PolicyNotAuthorized,
-            policy.enforce,
-            self.context, 'create_port:allowed_address_pairs:mac_address',
-            self.alt_target)
+        self.assertTrue(
+            policy.enforce(
+                self.context, 'create_port:allowed_address_pairs:mac_address',
+                self.alt_target))
 
     def test_create_port_with_allowed_address_pairs_and_ip_address(self):
-        self.assertRaises(
-            base_policy.PolicyNotAuthorized,
-            policy.enforce,
-            self.context, 'create_port:allowed_address_pairs:ip_address',
-            self.target)
+        self.assertTrue(
+            policy.enforce(
+                self.context, 'create_port:allowed_address_pairs:ip_address',
+                self.target))
 
     def test_create_port_tags(self):
         self.assertRaises(
@@ -1927,25 +1924,22 @@ def test_update_port_with_binding_vnic_type(self):
                 self.context, 'update_port:binding:vnic_type', self.target))
 
     def test_update_port_with_allowed_address_pairs(self):
-        self.assertRaises(
-            base_policy.PolicyNotAuthorized,
-            policy.enforce,
-            self.context, 'update_port:allowed_address_pairs',
-            self.target)
+        self.assertTrue(
+            policy.enforce(
+                self.context, 'update_port:allowed_address_pairs',
+                self.target))
 
     def test_update_port_with_allowed_address_pairs_and_mac_address(self):
-        self.assertRaises(
-            base_policy.PolicyNotAuthorized,
-            policy.enforce,
-            self.context, 'update_port:allowed_address_pairs:mac_address',
-            self.target)
+        self.assertTrue(
+            policy.enforce(
+                self.context, 'update_port:allowed_address_pairs:mac_address',
+                self.target))
 
     def test_update_port_with_allowed_address_pairs_and_ip_address(self):
-        self.assertRaises(
-            base_policy.PolicyNotAuthorized,
-            policy.enforce,
-            self.context, 'update_port:allowed_address_pairs:ip_address',
-            self.target)
+        self.assertTrue(
+            policy.enforce(
+                self.context, 'update_port:allowed_address_pairs:ip_address',
+                self.target))
 
     def test_update_port_data_plane_status(self):
         self.assertRaises(
diff --git a/neutron/tests/unit/conf/policies/test_subnet.py b/neutron/tests/unit/conf/policies/test_subnet.py
@@ -927,10 +927,8 @@ def test_create_subnet_tags(self):
             self.context, 'create_subnet:tags', self.target)
 
     def test_get_subnet(self):
-        self.assertRaises(
-            base_policy.PolicyNotAuthorized,
-            policy.enforce,
-            self.context, 'get_subnet', self.target)
+        self.assertTrue(
+            policy.enforce(self.context, 'get_subnet', self.target))
 
     def test_get_subnet_segment_id(self):
         self.assertRaises(
diff --git a/releasenotes/notes/octavia-service-role-b8ee74e5cb52ea30.yaml b/releasenotes/notes/octavia-service-role-b8ee74e5cb52ea30.yaml
@@ -0,0 +1,33 @@
+---
+features:
+  - |
+    Updated RBAC rules so that they allow the ``service`` role to pass the
+    following policies by default:
+
+    - ``get_subnet``
+
+    - ``get_network_ip_availability``
+
+    - ``create_port:allowed_address_pairs``
+
+    - ``create_port:allowed_address_pairs:mac_address``
+
+    - ``create_port:allowed_address_pairs:ip_address``
+
+    - ``update_port:allowed_address_pairs``
+
+    - ``update_port:allowed_address_pairs:mac_address``
+
+    - ``update_port:allowed_address_pairs:ip_address``
+
+    This allows for integration with the Octavia project using the
+    ``service`` role instead of the ``admin`` role for integration
+    with Neutron.
+upgrade:
+  - |
+    Default RBAC policies for ``get_subnet``, ``get_network_ip_availability``,
+    ``create_port:allowed_address_pairs``, ``create_port:allowed_address_pairs:mac_address``,
+    ``create_port:allowed_address_pairs:ip_address``, ``update_port:allowed_address_pairs``,
+    ``update_port:allowed_address_pairs:mac_address`` and
+    ``update_port:allowed_address_pairs:ip_address`` have been updated to allow the
+    ``service`` role.
