← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1338880] Re: Any user can set a network as external

 

** Changed in: neutron
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1338880

Title:
  Any user can set a network as external

Status in OpenStack Neutron (virtual network service):
  Fix Released

Bug description:
  Even though the default policy.json restrict the creation of external
  networks to admin_only, any user can update a network as external.

  I could verify this with the following test (PseudoPython):

  project: ProjectA
  user: ProjectMemberA has Member role on project ProjectA.

  with network(name="UpdateNetworkExternalRouter", tenant_id=ProjectA, router_external=False) as test_network:
              self.project_member_a_neutron_client.update_network(network=test_network, router_external=True)

  project_member_a_neutron_client encapsulates a python-neutronclient,
  and here it is what the method does.

      def update_network(self, network, name=None, shared=None, router_external=None):
          body = {
              'network': {
              }
          }
          if name is not None:
              body['network']['name'] = name
          if shared is not None:
              body['network']['shared'] = shared
          if router_external is not None:
              body['network']['router:external'] = router_external

          self.python_neutronclient.update_network(network=network.id,
  body=body)['network']

  
  The expected behaviour is that the operation should not be allowed, but the user without admin privileges is able to perform such change.

  Trying to add an "update_network:router:external": "rule:admin_only"
  policy did not work and broke other operations a regular user should
  be able to do.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1338880/+subscriptions


References