← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1726914] Re: Non admin can change external of network through RBAC policy

 

I noticed current RBAC design must allow regular user to change
attribute for admin like external and shared. We must understand the
design.

** Changed in: neutron
       Status: In Progress => Opinion

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1726914

Title:
  Non admin can change external of network through RBAC policy

Status in neutron:
  Opinion

Bug description:
  Generally we prohibits non admin from creating and updating network
  with external option[1, 2] by policy.json. However, non admin can
  change the external option using rbac policy.

  [1]: https://github.com/openstack/neutron/blob/master/etc/policy.json#L52
  [2]: https://github.com/openstack/neutron/blob/master/etc/policy.json#L64

  
  $ openstack network create net
  +---------------------------+--------------------------------------+
  | Field                     | Value                                |
  +---------------------------+--------------------------------------+
  | admin_state_up            | UP                                   |
  | availability_zone_hints   |                                      |
  | availability_zones        |                                      |
  | created_at                | 2017-10-24T15:15:22Z                 |
  | description               |                                      |
  | dns_domain                | None                                 |
  | id                        | db82dcea-9e91-4f81-9447-6d90bccb050f |
  | ipv4_address_scope        | None                                 |
  | ipv6_address_scope        | None                                 |
  | is_default                | False                                |
  | is_vlan_transparent       | None                                 |
  | mtu                       | 1450                                 |
  | name                      | net                                  |
  | port_security_enabled     | True                                 |
  | project_id                | 9e01496fa46a425bb5228f3b6d73ca6c     |
  | provider:network_type     | None                                 |
  | provider:physical_network | None                                 |
  | provider:segmentation_id  | None                                 |
  | qos_policy_id             | None                                 |
  | revision_number           | 2                                    |
  | router:external           | Internal                             |
  | segments                  | None                                 |
  | shared                    | False                                |
  | status                    | ACTIVE                               |
  | subnets                   |                                      |
  | tags                      |                                      |
  | updated_at                | 2017-10-24T15:15:22Z                 |
  +---------------------------+--------------------------------------+

  Non admin user cannot update his network's external option.

  $ openstack network set --external net
  HttpException: Forbidden (HTTP 403) (Request-ID: req-21866c75-25f5-416c-80b3-312fef71b36f), (rule:update_network and rule:update_network:router:external) is disallowed by policy

  Non admin user can update his network's external option using rbac
  policy.

  $ openstack network rbac create --type network --target-project 3b3ff25f99884355932f5d316847ebbe --action access_as_external net
  +-------------------+--------------------------------------+
  | Field             | Value                                |
  +-------------------+--------------------------------------+
  | action            | access_as_external                   |
  | id                | 95bade41-77f7-4495-a90a-29fa6eba0518 |
  | name              | None                                 |
  | object_id         | db82dcea-9e91-4f81-9447-6d90bccb050f |
  | object_type       | network                              |
  | project_id        | 9e01496fa46a425bb5228f3b6d73ca6c     |
  | target_project_id | 3b3ff25f99884355932f5d316847ebbe     |
  +-------------------+--------------------------------------+
  $ openstack network show net
  +---------------------------+--------------------------------------+
  | Field                     | Value                                |
  +---------------------------+--------------------------------------+
  | admin_state_up            | UP                                   |
  | availability_zone_hints   |                                      |
  | availability_zones        |                                      |
  | created_at                | 2017-10-24T15:15:22Z                 |
  | description               |                                      |
  | dns_domain                | None                                 |
  | id                        | db82dcea-9e91-4f81-9447-6d90bccb050f |
  | ipv4_address_scope        | None                                 |
  | ipv6_address_scope        | None                                 |
  | is_default                | False                                |
  | is_vlan_transparent       | None                                 |
  | mtu                       | 1450                                 |
  | name                      | net                                  |
  | port_security_enabled     | True                                 |
  | project_id                | 9e01496fa46a425bb5228f3b6d73ca6c     |
  | provider:network_type     | None                                 |
  | provider:physical_network | None                                 |
  | provider:segmentation_id  | None                                 |
  | qos_policy_id             | None                                 |
  | revision_number           | 4                                    |
  | router:external           | External                             |
  | segments                  | None                                 |
  | shared                    | False                                |
  | status                    | ACTIVE                               |
  | subnets                   |                                      |
  | tags                      |                                      |
  | updated_at                | 2017-10-24T15:16:38Z                 |
  +---------------------------+--------------------------------------+

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1726914/+subscriptions


References