Creating a floating ip with a non-admin user on Openstack returns a HttpException: 403

Solution Verified - Updated 13 Jun 2024

Environment

Red Hat OpenStack Platform(RHOSP) 16.x

Issue

Create floating IP address with static floating IP is restricted to the admin role, An exception is thrown when a non-admin user tries to create a static floating IP address

openstack floating ip create --floating-ip-address 10.0.0.150  b4257dd3-6443-4a45-b8e2-eea58ab18257
Error while executing command: HttpException: 403, (rule:create_floatingip and rule:create_floatingip:floating_ip_address) is disallowed by policy

Resolution

Note - Open a support case before making any changes to the configuration file, As this is intended for the user to test on testing platforms.

To allow non-admin role create static with the option --floating-ip-address, a change will need to be made on the policy.json for neutron service, the Config file for neutron service can be found under /var/lib/config-data/puppet-generated/neutron/etc/neutron/policy.json

[root@controller-0 ~]# cat /var/lib/config-data/puppet-generated/neutron/etc/neutron/policy.json | grep -i floating
# Create a floating IP
# POST  /floatingips
#"create_floatingip": "rule:regular_user"
# Create a floating IP with a specific IP address
# POST  /floatingips
#"create_floatingip:floating_ip_address": "rule:admin_only"
"create_floatingip:floating_ip_address": "rule:admin_only_or_regular_user" #----> Add this line

To make the change persistent restart neutron_api container on all three containers one at a time, with an interval of 5-10mins between them
```
podman restart neutron_api
```

Try creating a floating IP with a non-admin user, This operation should be successful and output will be returned without any errors

[stack@director ~] source overcloudrc
(overcloud) [stack@director ~] openstack floating ip create --floating-ip-address 10.0.0.150  b4257dd3-6443-4a45-b8e2-eea58ab18257

Root Cause

Default neutron policy does not allow users with the non-admin role to create static floating IP addresses.

 [root@controller-0 ~]# cat /var/lib/config-data/puppet-generated/neutron/etc/neutron/policy.json | grep -i 
floating
 # Create a floating IP
 # POST  /floatingips
 #"create_floatingip": "rule:regular_user"
 # Create a floating IP with a specific IP address
 # POST  /floatingips
 #"create_floatingip:floating_ip_address": "rule:admin_only"

Diagnostic Steps

An exception is thrown when a non-admin user tries to create a static floating IP address

openstack floating ip create --floating-ip-address 10.0.0.150  b4257dd3-6443-4a45-b8e2-eea58ab18257
Error while executing command: HttpException: 403, (rule:create_floatingip and rule:create_floatingip:floating_ip_address) is disallowed by policy

SBR

Stack

Product(s)

Red Hat OpenStack Platform

Components

neutron

Category

Configure

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.