yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #68794
[Bug 1726914] [NEW] Non admin can change external of network through RBAC policy
Public bug reported:
Generally we prohibits non admin from creating and updating network with
external option[1, 2] by policy.json. However, non admin can change the
external option using rbac policy.
[1]: https://github.com/openstack/neutron/blob/master/etc/policy.json#L52
[2]: https://github.com/openstack/neutron/blob/master/etc/policy.json#L64
$ openstack network create net
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | UP |
| availability_zone_hints | |
| availability_zones | |
| created_at | 2017-10-24T15:15:22Z |
| description | |
| dns_domain | None |
| id | db82dcea-9e91-4f81-9447-6d90bccb050f |
| ipv4_address_scope | None |
| ipv6_address_scope | None |
| is_default | False |
| is_vlan_transparent | None |
| mtu | 1450 |
| name | net |
| port_security_enabled | True |
| project_id | 9e01496fa46a425bb5228f3b6d73ca6c |
| provider:network_type | None |
| provider:physical_network | None |
| provider:segmentation_id | None |
| qos_policy_id | None |
| revision_number | 2 |
| router:external | Internal |
| segments | None |
| shared | False |
| status | ACTIVE |
| subnets | |
| tags | |
| updated_at | 2017-10-24T15:15:22Z |
+---------------------------+--------------------------------------+
Non admin user cannot update his network's external option.
$ openstack network set --external net
HttpException: Forbidden (HTTP 403) (Request-ID: req-21866c75-25f5-416c-80b3-312fef71b36f), (rule:update_network and rule:update_network:router:external) is disallowed by policy
Non admin user can update his network's external option using rbac
policy.
$ openstack network rbac create --type network --target-project 3b3ff25f99884355932f5d316847ebbe --action access_as_external net
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| action | access_as_external |
| id | 95bade41-77f7-4495-a90a-29fa6eba0518 |
| name | None |
| object_id | db82dcea-9e91-4f81-9447-6d90bccb050f |
| object_type | network |
| project_id | 9e01496fa46a425bb5228f3b6d73ca6c |
| target_project_id | 3b3ff25f99884355932f5d316847ebbe |
+-------------------+--------------------------------------+
$ openstack network show net
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | UP |
| availability_zone_hints | |
| availability_zones | |
| created_at | 2017-10-24T15:15:22Z |
| description | |
| dns_domain | None |
| id | db82dcea-9e91-4f81-9447-6d90bccb050f |
| ipv4_address_scope | None |
| ipv6_address_scope | None |
| is_default | False |
| is_vlan_transparent | None |
| mtu | 1450 |
| name | net |
| port_security_enabled | True |
| project_id | 9e01496fa46a425bb5228f3b6d73ca6c |
| provider:network_type | None |
| provider:physical_network | None |
| provider:segmentation_id | None |
| qos_policy_id | None |
| revision_number | 4 |
| router:external | External |
| segments | None |
| shared | False |
| status | ACTIVE |
| subnets | |
| tags | |
| updated_at | 2017-10-24T15:16:38Z |
+---------------------------+--------------------------------------+
** Affects: neutron
Importance: Undecided
Assignee: Hirofumi Ichihara (ichihara-hirofumi)
Status: New
** Tags: access-control
** Changed in: neutron
Assignee: (unassigned) => Hirofumi Ichihara (ichihara-hirofumi)
** Tags added: access-control
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1726914
Title:
Non admin can change external of network through RBAC policy
Status in neutron:
New
Bug description:
Generally we prohibits non admin from creating and updating network
with external option[1, 2] by policy.json. However, non admin can
change the external option using rbac policy.
[1]: https://github.com/openstack/neutron/blob/master/etc/policy.json#L52
[2]: https://github.com/openstack/neutron/blob/master/etc/policy.json#L64
$ openstack network create net
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | UP |
| availability_zone_hints | |
| availability_zones | |
| created_at | 2017-10-24T15:15:22Z |
| description | |
| dns_domain | None |
| id | db82dcea-9e91-4f81-9447-6d90bccb050f |
| ipv4_address_scope | None |
| ipv6_address_scope | None |
| is_default | False |
| is_vlan_transparent | None |
| mtu | 1450 |
| name | net |
| port_security_enabled | True |
| project_id | 9e01496fa46a425bb5228f3b6d73ca6c |
| provider:network_type | None |
| provider:physical_network | None |
| provider:segmentation_id | None |
| qos_policy_id | None |
| revision_number | 2 |
| router:external | Internal |
| segments | None |
| shared | False |
| status | ACTIVE |
| subnets | |
| tags | |
| updated_at | 2017-10-24T15:15:22Z |
+---------------------------+--------------------------------------+
Non admin user cannot update his network's external option.
$ openstack network set --external net
HttpException: Forbidden (HTTP 403) (Request-ID: req-21866c75-25f5-416c-80b3-312fef71b36f), (rule:update_network and rule:update_network:router:external) is disallowed by policy
Non admin user can update his network's external option using rbac
policy.
$ openstack network rbac create --type network --target-project 3b3ff25f99884355932f5d316847ebbe --action access_as_external net
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| action | access_as_external |
| id | 95bade41-77f7-4495-a90a-29fa6eba0518 |
| name | None |
| object_id | db82dcea-9e91-4f81-9447-6d90bccb050f |
| object_type | network |
| project_id | 9e01496fa46a425bb5228f3b6d73ca6c |
| target_project_id | 3b3ff25f99884355932f5d316847ebbe |
+-------------------+--------------------------------------+
$ openstack network show net
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | UP |
| availability_zone_hints | |
| availability_zones | |
| created_at | 2017-10-24T15:15:22Z |
| description | |
| dns_domain | None |
| id | db82dcea-9e91-4f81-9447-6d90bccb050f |
| ipv4_address_scope | None |
| ipv6_address_scope | None |
| is_default | False |
| is_vlan_transparent | None |
| mtu | 1450 |
| name | net |
| port_security_enabled | True |
| project_id | 9e01496fa46a425bb5228f3b6d73ca6c |
| provider:network_type | None |
| provider:physical_network | None |
| provider:segmentation_id | None |
| qos_policy_id | None |
| revision_number | 4 |
| router:external | External |
| segments | None |
| shared | False |
| status | ACTIVE |
| subnets | |
| tags | |
| updated_at | 2017-10-24T15:16:38Z |
+---------------------------+--------------------------------------+
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1726914/+subscriptions
Follow ups
