← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1919386] [NEW] Project administrators are allowed to view networks across projects

 

Public bug reported:

The new default policies in neutron help fix tenancy issues where users
of one project are not allowed to view, create, modify, or delete
resources within another project (enforcing hard tenancy).

With the new policies enabled by default, I'm able to view networks for
other projects as an administrator of another project.

╭─ubuntu@neutron-devstack /opt/stack/neutron ‹master›
╰─➤  $ openstack --os-cloud devstack-alt-admin network create alt-network
/usr/lib/python3/dist-packages/secretstorage/dhcrypto.py:15: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
  from cryptography.utils import int_from_bytes
/usr/lib/python3/dist-packages/secretstorage/util.py:19: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
  from cryptography.utils import int_from_bytes
+---------------------------+--------------------------------------+
| Field                     | Value                                |
+---------------------------+--------------------------------------+
| admin_state_up            | UP                                   |
| availability_zone_hints   |                                      |
| availability_zones        |                                      |
| created_at                | 2021-03-16T21:27:28Z                 |
| description               |                                      |
| dns_domain                | None                                 |
| id                        | 84c7464b-3351-4a47-88d1-3b6615967e87 |
| ipv4_address_scope        | None                                 |
| ipv6_address_scope        | None                                 |
| is_default                | False                                |
| is_vlan_transparent       | None                                 |
| mtu                       | 1450                                 |
| name                      | alt-network                          |
| port_security_enabled     | True                                 |
| project_id                | 13bde21b76fe4744904785a9a61512b7     |
| provider:network_type     | vxlan                                |
| provider:physical_network | None                                 |
| provider:segmentation_id  | 3                                    |
| qos_policy_id             | None                                 |
| revision_number           | 1                                    |
| router:external           | Internal                             |
| segments                  | None                                 |
| shared                    | False                                |
| status                    | ACTIVE                               |
| subnets                   |                                      |
| tags                      |                                      |
| updated_at                | 2021-03-16T21:27:28Z                 |
+---------------------------+--------------------------------------+
╭─ubuntu@neutron-devstack /opt/stack/neutron ‹master›
╰─➤  $ openstack --os-cloud devstack-admin-admin network show alt-network
/usr/lib/python3/dist-packages/secretstorage/dhcrypto.py:15: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
  from cryptography.utils import int_from_bytes
/usr/lib/python3/dist-packages/secretstorage/util.py:19: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
  from cryptography.utils import int_from_bytes
+---------------------------+--------------------------------------+
| Field                     | Value                                |
+---------------------------+--------------------------------------+
| admin_state_up            | UP                                   |
| availability_zone_hints   |                                      |
| availability_zones        |                                      |
| created_at                | 2021-03-16T21:27:28Z                 |
| description               |                                      |
| dns_domain                | None                                 |
| id                        | 84c7464b-3351-4a47-88d1-3b6615967e87 |
| ipv4_address_scope        | None                                 |
| ipv6_address_scope        | None                                 |
| is_default                | None                                 |
| is_vlan_transparent       | None                                 |
| mtu                       | 1450                                 |
| name                      | alt-network                          |
| port_security_enabled     | True                                 |
| project_id                | 13bde21b76fe4744904785a9a61512b7     |
| provider:network_type     | vxlan                                |
| provider:physical_network | None                                 |
| provider:segmentation_id  | 3                                    |
| qos_policy_id             | None                                 |
| revision_number           | 1                                    |
| router:external           | Internal                             |
| segments                  | None                                 |
| shared                    | False                                |
| status                    | ACTIVE                               |
| subnets                   |                                      |
| tags                      |                                      |
| updated_at                | 2021-03-16T21:27:28Z                 |
+---------------------------+--------------------------------------+


╭─ubuntu@neutron-devstack /opt/stack/neutron ‹master›
╰─➤  $ cat /etc/openstack/clouds.yaml 
clouds:
  devstack-admin-admin:
    auth:
      auth_url: http://192.168.1.20/identity
      password: nomoresecret
      project_domain_id: default
      project_name: admin
      user_domain_id: default
      username: admin
    identity_api_version: '3'
    region_name: RegionOne
    volume_api_version: '3'
  devstack-alt-admin:
    auth:
      auth_url: http://192.168.1.20/identity
      password: nomoresecret
      project_domain_id: default
      project_name: alt_demo
      user_domain_id: default
      username: alt_demo
    identity_api_version: '3'
    region_name: RegionOne
    volume_api_version: '3'

I used the following configuration in neutron.conf:

  [oslo_policy]
  enforce_new_defaults = True 
  enforce_scope = True                                                                                                                                                                                                                                                                                                                                          
  policy_file = /etc/neutron/policy.json

As the administrator of a project, I wouldn't expect to have access to
networks not directly, or indirectly (public networks), associated to my
project.

I think this is only applicable in the lastest neutron branhches
(Wallaby M3) since the functionality just merged within the last couple
of weeks.

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1919386

Title:
  Project administrators are allowed to view networks across projects

Status in neutron:
  New

Bug description:
  The new default policies in neutron help fix tenancy issues where
  users of one project are not allowed to view, create, modify, or
  delete resources within another project (enforcing hard tenancy).

  With the new policies enabled by default, I'm able to view networks
  for other projects as an administrator of another project.

  ╭─ubuntu@neutron-devstack /opt/stack/neutron ‹master›
  ╰─➤  $ openstack --os-cloud devstack-alt-admin network create alt-network
  /usr/lib/python3/dist-packages/secretstorage/dhcrypto.py:15: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
    from cryptography.utils import int_from_bytes
  /usr/lib/python3/dist-packages/secretstorage/util.py:19: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
    from cryptography.utils import int_from_bytes
  +---------------------------+--------------------------------------+
  | Field                     | Value                                |
  +---------------------------+--------------------------------------+
  | admin_state_up            | UP                                   |
  | availability_zone_hints   |                                      |
  | availability_zones        |                                      |
  | created_at                | 2021-03-16T21:27:28Z                 |
  | description               |                                      |
  | dns_domain                | None                                 |
  | id                        | 84c7464b-3351-4a47-88d1-3b6615967e87 |
  | ipv4_address_scope        | None                                 |
  | ipv6_address_scope        | None                                 |
  | is_default                | False                                |
  | is_vlan_transparent       | None                                 |
  | mtu                       | 1450                                 |
  | name                      | alt-network                          |
  | port_security_enabled     | True                                 |
  | project_id                | 13bde21b76fe4744904785a9a61512b7     |
  | provider:network_type     | vxlan                                |
  | provider:physical_network | None                                 |
  | provider:segmentation_id  | 3                                    |
  | qos_policy_id             | None                                 |
  | revision_number           | 1                                    |
  | router:external           | Internal                             |
  | segments                  | None                                 |
  | shared                    | False                                |
  | status                    | ACTIVE                               |
  | subnets                   |                                      |
  | tags                      |                                      |
  | updated_at                | 2021-03-16T21:27:28Z                 |
  +---------------------------+--------------------------------------+
  ╭─ubuntu@neutron-devstack /opt/stack/neutron ‹master›
  ╰─➤  $ openstack --os-cloud devstack-admin-admin network show alt-network
  /usr/lib/python3/dist-packages/secretstorage/dhcrypto.py:15: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
    from cryptography.utils import int_from_bytes
  /usr/lib/python3/dist-packages/secretstorage/util.py:19: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
    from cryptography.utils import int_from_bytes
  +---------------------------+--------------------------------------+
  | Field                     | Value                                |
  +---------------------------+--------------------------------------+
  | admin_state_up            | UP                                   |
  | availability_zone_hints   |                                      |
  | availability_zones        |                                      |
  | created_at                | 2021-03-16T21:27:28Z                 |
  | description               |                                      |
  | dns_domain                | None                                 |
  | id                        | 84c7464b-3351-4a47-88d1-3b6615967e87 |
  | ipv4_address_scope        | None                                 |
  | ipv6_address_scope        | None                                 |
  | is_default                | None                                 |
  | is_vlan_transparent       | None                                 |
  | mtu                       | 1450                                 |
  | name                      | alt-network                          |
  | port_security_enabled     | True                                 |
  | project_id                | 13bde21b76fe4744904785a9a61512b7     |
  | provider:network_type     | vxlan                                |
  | provider:physical_network | None                                 |
  | provider:segmentation_id  | 3                                    |
  | qos_policy_id             | None                                 |
  | revision_number           | 1                                    |
  | router:external           | Internal                             |
  | segments                  | None                                 |
  | shared                    | False                                |
  | status                    | ACTIVE                               |
  | subnets                   |                                      |
  | tags                      |                                      |
  | updated_at                | 2021-03-16T21:27:28Z                 |
  +---------------------------+--------------------------------------+

  
  ╭─ubuntu@neutron-devstack /opt/stack/neutron ‹master›
  ╰─➤  $ cat /etc/openstack/clouds.yaml 
  clouds:
    devstack-admin-admin:
      auth:
        auth_url: http://192.168.1.20/identity
        password: nomoresecret
        project_domain_id: default
        project_name: admin
        user_domain_id: default
        username: admin
      identity_api_version: '3'
      region_name: RegionOne
      volume_api_version: '3'
    devstack-alt-admin:
      auth:
        auth_url: http://192.168.1.20/identity
        password: nomoresecret
        project_domain_id: default
        project_name: alt_demo
        user_domain_id: default
        username: alt_demo
      identity_api_version: '3'
      region_name: RegionOne
      volume_api_version: '3'

  I used the following configuration in neutron.conf:

    [oslo_policy]
    enforce_new_defaults = True 
    enforce_scope = True                                                                                                                                                                                                                                                                                                                                          
    policy_file = /etc/neutron/policy.json

  As the administrator of a project, I wouldn't expect to have access to
  networks not directly, or indirectly (public networks), associated to
  my project.

  I think this is only applicable in the lastest neutron branhches
  (Wallaby M3) since the functionality just merged within the last
  couple of weeks.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1919386/+subscriptions


Follow ups