← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #16988

[Bug 1338880] [NEW] Any user can set a network as external

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Even though the default policy.json restrict the creation of external
networks to admin_only, any user can update a network as external.

I could verify this with the following test (PseudoPython):

project: ProjectA
user: ProjectMemberA has Member role on project ProjectA.

with network(name="UpdateNetworkExternalRouter", tenant_id=ProjectA, router_external=False) as test_network:
            self.project_member_a_neutron_client.update_network(network=test_network, router_external=True)

project_member_a_neutron_client encapsulates a python-neutronclient, and
here it is what the method does.

    def update_network(self, network, name=None, shared=None, router_external=None):
        body = {
            'network': {
            }
        }
        if name is not None:
            body['network']['name'] = name
        if shared is not None:
            body['network']['shared'] = shared
        if router_external is not None:
            body['network']['router:external'] = router_external

        self.python_neutronclient.update_network(network=network.id,
body=body)['network']


The expected behaviour is that the operation should not be allowed, but the user without admin privileges is able to perform such change.

Trying to add an "update_network:router:external": "rule:admin_only"
policy did not work and broke other operations a regular user should be
able to do.

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1338880

Title:
  Any user can set a network as external

Status in OpenStack Neutron (virtual network service):
  New

Bug description:
  Even though the default policy.json restrict the creation of external
  networks to admin_only, any user can update a network as external.

  I could verify this with the following test (PseudoPython):

  project: ProjectA
  user: ProjectMemberA has Member role on project ProjectA.

  with network(name="UpdateNetworkExternalRouter", tenant_id=ProjectA, router_external=False) as test_network:
              self.project_member_a_neutron_client.update_network(network=test_network, router_external=True)

  project_member_a_neutron_client encapsulates a python-neutronclient,
  and here it is what the method does.

      def update_network(self, network, name=None, shared=None, router_external=None):
          body = {
              'network': {
              }
          }
          if name is not None:
              body['network']['name'] = name
          if shared is not None:
              body['network']['shared'] = shared
          if router_external is not None:
              body['network']['router:external'] = router_external

          self.python_neutronclient.update_network(network=network.id,
  body=body)['network']

  
  The expected behaviour is that the operation should not be allowed, but the user without admin privileges is able to perform such change.

  Trying to add an "update_network:router:external": "rule:admin_only"
  policy did not work and broke other operations a regular user should
  be able to do.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1338880/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next