yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #19927
[Bug 1338880] Re: Any user can set a network as external
** Changed in: neutron
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1338880
Title:
Any user can set a network as external
Status in OpenStack Neutron (virtual network service):
Fix Released
Bug description:
Even though the default policy.json restrict the creation of external
networks to admin_only, any user can update a network as external.
I could verify this with the following test (PseudoPython):
project: ProjectA
user: ProjectMemberA has Member role on project ProjectA.
with network(name="UpdateNetworkExternalRouter", tenant_id=ProjectA, router_external=False) as test_network:
self.project_member_a_neutron_client.update_network(network=test_network, router_external=True)
project_member_a_neutron_client encapsulates a python-neutronclient,
and here it is what the method does.
def update_network(self, network, name=None, shared=None, router_external=None):
body = {
'network': {
}
}
if name is not None:
body['network']['name'] = name
if shared is not None:
body['network']['shared'] = shared
if router_external is not None:
body['network']['router:external'] = router_external
self.python_neutronclient.update_network(network=network.id,
body=body)['network']
The expected behaviour is that the operation should not be allowed, but the user without admin privileges is able to perform such change.
Trying to add an "update_network:router:external": "rule:admin_only"
policy did not work and broke other operations a regular user should
be able to do.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1338880/+subscriptions
References