yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1915308] Re: security group table doesn't observe Neutron policy settings

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Vishal Manchanda <1915308@xxxxxxxxxxxxxxxxxx>
Date: Wed, 10 Mar 2021 05:46:52 -0000
Reply-to: Bug 1915308 <1915308@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

It is fixed by https://review.opendev.org/c/openstack/horizon/+/774922

** Changed in: horizon
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1915308

Title:
  security group table doesn't observe Neutron policy settings

Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  The security group panel enables all actions
  (create/edit/delete/manage rules/etc.) regardless of the network
  policy.yaml settings or user account.

  In the code there's this telling readme:

  # TODO(amotoki): [drop-nova-network] Add neutron policy support

  In my deployment this is a bit alarming -- users who are intended to
  be read-only are nonetheless invited to delete things.  Of course the
  Neutron backend /does/ observe the policy so this is ugly but not
  usually an actual security risk unless people have different back-end
  and front-end policy files.

  I'm flagging as security-related nonetheless for the odd edge case
  where it poses a risk.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1915308/+subscriptions