yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1784586] Re: Networking guide doesn't clarify that subnets inherit the RBAC policies of their network

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1784586@xxxxxxxxxxxxxxxxxx>
Date: Wed, 08 Aug 2018 21:19:50 -0000
Reply-to: Bug 1784586 <1784586@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/588844
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=c205963399b47eaa48b11835e28f527fa4dbc60a
Submitter: Zuul
Branch:    master

commit c205963399b47eaa48b11835e28f527fa4dbc60a
Author: Miguel Lavalle <miguel.lavalle@xxxxxxxxxx>
Date:   Fri Aug 3 18:35:45 2018 -0500

    Add note to RBAC chapter of Networking Guide
    
    This commit adds a note to the RBAC chapter of the Networking Guide
    clarifying that subnets inherit the RBAC policy entries of their
    network.
    
    Change-Id: Ic9256f3fcfe89b495c97df16fe6c6b3f052b9ab8
    Closes-Bug: #1784586


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1784586

Title:
  Networking guide doesn't clarify that subnets inherit the RBAC
  policies of their network

Status in neutron:
  Fix Released

Bug description:
  Subnets in a RBAC access_as_shared network are accessible to projects
  even if the subnet project_id doesn't match that project ID.

  OpenStack version used for testing: Pike stable on Red Hat ("Red Hat
  OpenStack Platform 12")

  Steps to reproduce:
  - Create three projects: proj1, proj2, proj3
  - Create a network in proj1
  - Share the network with other projects:
    openstack network rbac create --type network --action access_as_shared --target-project <proj2 ID>
    openstack network rbac create --type network --action access_as_shared --target-project <proj3 ID>
  - As admin, create multiple subnets in the network with --project
    openstack subnet create --project <proj2 ID> --network <network_id> ...
    openstack subnet create --project <proj3 ID> --network <network_id> ...
  - Check that the project_id in the subnet is set to the project ID for each of the projects:
    openstack subnet show ...

  Expected results:
  - Requesting a subnet list in proj2 and proj3 only shows the subnets where 
    project_id == project ID for that project ("my project ID")
  - Listing ports only shows the ports in the subnet(s) with project_id == "my project ID".
  - Ports can only be created in subnets with project_id == "my project ID".
  - A project isn't able to delete an (empty) 'foreign' subnet.

  Actual results:
  - A subnet list shows all subnets in the network, all subnets in all projects: UNEXPECTED
  - Listing ports only shows the ports in subnets with "my project ID": EXPECTED
    However, see below.
  - If the allocation pool for a subnet isn't depleted, any project is able to create ports in subnets,
    even if the project_id of that subnet != "my project ID": UNEXPECTED.
    After creating a port in a 'foreign subnet', the project is able to list those ports.
    To reproduce, use 'openstack port create'. Horizon seems to show the expected behavior.
  - If a subnet has no ports, any project can delete a subnet, even if it's project_id doesn't match
    the current project ID: UNEXPECTED.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1784586/+subscriptions

References

[Bug 1784586] [NEW] Subnets accessible when project_id != my project id with multiple subnets in single RBAC access_as_shared network
From: loonatic, 2018-07-31