yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1445475] Re: neutron service user should not require admin

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jeremy Stanley <fungi@xxxxxxxxxxx>
Date: Fri, 17 Apr 2015 15:12:11 -0000
Reply-to: Bug 1445475 <1445475@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

You've switched this bug report to indicate an exploitable security
vulnerability. Can you describe in greater detail the exploitation
scenario you have in mind? What sort of patch to neutron do you expect
to correct this defect? Does this vulnerability appear in previous
releases of neutron as well, or does it only affect the current master
and stable/kilo branches of neutron?

** Also affects: ossa
Importance: Undecided
Status: New

** Changed in: ossa
Status: New => Incomplete

--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1445475

Title:
neutron service user should not require admin

Status in OpenStack Neutron (virtual network service):
New
Status in OpenStack Security Advisories:
Incomplete

Bug description:

The typical config has nova using the 'neutron' user in the 'service' project to do operations against Neutron. The 'neutron' user should not require the 'admin' role on the 'service' project to do all the operations it needs to do against Neutron. Neutron's default policy.json should allow the 'neutron' user (i.e., users with the 'service' role) to do all the operations it needs to do against Neutron, rather than requiring 'admin'.

Nova is allocating networks and creating ports, so these operations
need to allow the 'service' role to perform these operations, too.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1445475/+subscriptions

References

[Bug 1445475] [NEW] neutron service user should not require admin
From: Brant Knudson, 2015-04-17