← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #74036

[Bug 1784586] [NEW] Subnets accessible when project_id != my project id with multiple subnets in single RBAC access_as_shared network

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Subnets in a RBAC access_as_shared network are accessible to projects
even if the subnet project_id doesn't match that project ID.

OpenStack version used for testing: Pike stable on Red Hat ("Red Hat
OpenStack Platform 12")

Steps to reproduce:
- Create three projects: proj1, proj2, proj3
- Create a network in proj1
- Share the network with other projects:
  openstack network rbac create --type network --action access_as_shared --target-project <proj2 ID>
  openstack network rbac create --type network --action access_as_shared --target-project <proj3 ID>
- As admin, create multiple subnets in the network with --project
  openstack subnet create --project <proj2 ID> --network <network_id> ...
  openstack subnet create --project <proj3 ID> --network <network_id> ...
- Check that the project_id in the subnet is set to the project ID for each of the projects:
  openstack subnet show ...

Expected results:
- Requesting a subnet list in proj2 and proj3 only shows the subnets where 
  project_id == project ID for that project ("my project ID")
- Listing ports only shows the ports in the subnet(s) with project_id == "my project ID".
- Ports can only be created in subnets with project_id == "my project ID".
- A project isn't able to delete an (empty) 'foreign' subnet.

Actual results:
- A subnet list shows all subnets in the network, all subnets in all projects: UNEXPECTED
- Listing ports only shows the ports in subnets with "my project ID": EXPECTED
  However, see below.
- If the allocation pool for a subnet isn't depleted, any project is able to create ports in subnets,
  even if the project_id of that subnet != "my project ID": UNEXPECTED.
  After creating a port in a 'foreign subnet', the project is able to list those ports.
  To reproduce, use 'openstack port create'. Horizon seems to show the expected behavior.
- If a subnet has no ports, any project can delete a subnet, even if it's project_id doesn't match
  the current project ID: UNEXPECTED.

** Affects: neutron
     Importance: Undecided
         Status: New


** Tags: network neutron rbac subnet

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1784586

Title:
  Subnets accessible when project_id != my project id with multiple
  subnets in single RBAC access_as_shared network

Status in neutron:
  New

Bug description:
  Subnets in a RBAC access_as_shared network are accessible to projects
  even if the subnet project_id doesn't match that project ID.

  OpenStack version used for testing: Pike stable on Red Hat ("Red Hat
  OpenStack Platform 12")

  Steps to reproduce:
  - Create three projects: proj1, proj2, proj3
  - Create a network in proj1
  - Share the network with other projects:
    openstack network rbac create --type network --action access_as_shared --target-project <proj2 ID>
    openstack network rbac create --type network --action access_as_shared --target-project <proj3 ID>
  - As admin, create multiple subnets in the network with --project
    openstack subnet create --project <proj2 ID> --network <network_id> ...
    openstack subnet create --project <proj3 ID> --network <network_id> ...
  - Check that the project_id in the subnet is set to the project ID for each of the projects:
    openstack subnet show ...

  Expected results:
  - Requesting a subnet list in proj2 and proj3 only shows the subnets where 
    project_id == project ID for that project ("my project ID")
  - Listing ports only shows the ports in the subnet(s) with project_id == "my project ID".
  - Ports can only be created in subnets with project_id == "my project ID".
  - A project isn't able to delete an (empty) 'foreign' subnet.

  Actual results:
  - A subnet list shows all subnets in the network, all subnets in all projects: UNEXPECTED
  - Listing ports only shows the ports in subnets with "my project ID": EXPECTED
    However, see below.
  - If the allocation pool for a subnet isn't depleted, any project is able to create ports in subnets,
    even if the project_id of that subnet != "my project ID": UNEXPECTED.
    After creating a port in a 'foreign subnet', the project is able to list those ports.
    To reproduce, use 'openstack port create'. Horizon seems to show the expected behavior.
  - If a subnet has no ports, any project can delete a subnet, even if it's project_id doesn't match
    the current project ID: UNEXPECTED.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1784586/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next