yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #85566
[Bug 1919386] [NEW] Project administrators are allowed to view networks across projects
Public bug reported:
The new default policies in neutron help fix tenancy issues where users
of one project are not allowed to view, create, modify, or delete
resources within another project (enforcing hard tenancy).
With the new policies enabled by default, I'm able to view networks for
other projects as an administrator of another project.
╭─ubuntu@neutron-devstack /opt/stack/neutron ‹master›
╰─➤ $ openstack --os-cloud devstack-alt-admin network create alt-network
/usr/lib/python3/dist-packages/secretstorage/dhcrypto.py:15: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
from cryptography.utils import int_from_bytes
/usr/lib/python3/dist-packages/secretstorage/util.py:19: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
from cryptography.utils import int_from_bytes
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | UP |
| availability_zone_hints | |
| availability_zones | |
| created_at | 2021-03-16T21:27:28Z |
| description | |
| dns_domain | None |
| id | 84c7464b-3351-4a47-88d1-3b6615967e87 |
| ipv4_address_scope | None |
| ipv6_address_scope | None |
| is_default | False |
| is_vlan_transparent | None |
| mtu | 1450 |
| name | alt-network |
| port_security_enabled | True |
| project_id | 13bde21b76fe4744904785a9a61512b7 |
| provider:network_type | vxlan |
| provider:physical_network | None |
| provider:segmentation_id | 3 |
| qos_policy_id | None |
| revision_number | 1 |
| router:external | Internal |
| segments | None |
| shared | False |
| status | ACTIVE |
| subnets | |
| tags | |
| updated_at | 2021-03-16T21:27:28Z |
+---------------------------+--------------------------------------+
╭─ubuntu@neutron-devstack /opt/stack/neutron ‹master›
╰─➤ $ openstack --os-cloud devstack-admin-admin network show alt-network
/usr/lib/python3/dist-packages/secretstorage/dhcrypto.py:15: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
from cryptography.utils import int_from_bytes
/usr/lib/python3/dist-packages/secretstorage/util.py:19: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
from cryptography.utils import int_from_bytes
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | UP |
| availability_zone_hints | |
| availability_zones | |
| created_at | 2021-03-16T21:27:28Z |
| description | |
| dns_domain | None |
| id | 84c7464b-3351-4a47-88d1-3b6615967e87 |
| ipv4_address_scope | None |
| ipv6_address_scope | None |
| is_default | None |
| is_vlan_transparent | None |
| mtu | 1450 |
| name | alt-network |
| port_security_enabled | True |
| project_id | 13bde21b76fe4744904785a9a61512b7 |
| provider:network_type | vxlan |
| provider:physical_network | None |
| provider:segmentation_id | 3 |
| qos_policy_id | None |
| revision_number | 1 |
| router:external | Internal |
| segments | None |
| shared | False |
| status | ACTIVE |
| subnets | |
| tags | |
| updated_at | 2021-03-16T21:27:28Z |
+---------------------------+--------------------------------------+
╭─ubuntu@neutron-devstack /opt/stack/neutron ‹master›
╰─➤ $ cat /etc/openstack/clouds.yaml
clouds:
devstack-admin-admin:
auth:
auth_url: http://192.168.1.20/identity
password: nomoresecret
project_domain_id: default
project_name: admin
user_domain_id: default
username: admin
identity_api_version: '3'
region_name: RegionOne
volume_api_version: '3'
devstack-alt-admin:
auth:
auth_url: http://192.168.1.20/identity
password: nomoresecret
project_domain_id: default
project_name: alt_demo
user_domain_id: default
username: alt_demo
identity_api_version: '3'
region_name: RegionOne
volume_api_version: '3'
I used the following configuration in neutron.conf:
[oslo_policy]
enforce_new_defaults = True
enforce_scope = True
policy_file = /etc/neutron/policy.json
As the administrator of a project, I wouldn't expect to have access to
networks not directly, or indirectly (public networks), associated to my
project.
I think this is only applicable in the lastest neutron branhches
(Wallaby M3) since the functionality just merged within the last couple
of weeks.
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1919386
Title:
Project administrators are allowed to view networks across projects
Status in neutron:
New
Bug description:
The new default policies in neutron help fix tenancy issues where
users of one project are not allowed to view, create, modify, or
delete resources within another project (enforcing hard tenancy).
With the new policies enabled by default, I'm able to view networks
for other projects as an administrator of another project.
╭─ubuntu@neutron-devstack /opt/stack/neutron ‹master›
╰─➤ $ openstack --os-cloud devstack-alt-admin network create alt-network
/usr/lib/python3/dist-packages/secretstorage/dhcrypto.py:15: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
from cryptography.utils import int_from_bytes
/usr/lib/python3/dist-packages/secretstorage/util.py:19: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
from cryptography.utils import int_from_bytes
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | UP |
| availability_zone_hints | |
| availability_zones | |
| created_at | 2021-03-16T21:27:28Z |
| description | |
| dns_domain | None |
| id | 84c7464b-3351-4a47-88d1-3b6615967e87 |
| ipv4_address_scope | None |
| ipv6_address_scope | None |
| is_default | False |
| is_vlan_transparent | None |
| mtu | 1450 |
| name | alt-network |
| port_security_enabled | True |
| project_id | 13bde21b76fe4744904785a9a61512b7 |
| provider:network_type | vxlan |
| provider:physical_network | None |
| provider:segmentation_id | 3 |
| qos_policy_id | None |
| revision_number | 1 |
| router:external | Internal |
| segments | None |
| shared | False |
| status | ACTIVE |
| subnets | |
| tags | |
| updated_at | 2021-03-16T21:27:28Z |
+---------------------------+--------------------------------------+
╭─ubuntu@neutron-devstack /opt/stack/neutron ‹master›
╰─➤ $ openstack --os-cloud devstack-admin-admin network show alt-network
/usr/lib/python3/dist-packages/secretstorage/dhcrypto.py:15: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
from cryptography.utils import int_from_bytes
/usr/lib/python3/dist-packages/secretstorage/util.py:19: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
from cryptography.utils import int_from_bytes
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | UP |
| availability_zone_hints | |
| availability_zones | |
| created_at | 2021-03-16T21:27:28Z |
| description | |
| dns_domain | None |
| id | 84c7464b-3351-4a47-88d1-3b6615967e87 |
| ipv4_address_scope | None |
| ipv6_address_scope | None |
| is_default | None |
| is_vlan_transparent | None |
| mtu | 1450 |
| name | alt-network |
| port_security_enabled | True |
| project_id | 13bde21b76fe4744904785a9a61512b7 |
| provider:network_type | vxlan |
| provider:physical_network | None |
| provider:segmentation_id | 3 |
| qos_policy_id | None |
| revision_number | 1 |
| router:external | Internal |
| segments | None |
| shared | False |
| status | ACTIVE |
| subnets | |
| tags | |
| updated_at | 2021-03-16T21:27:28Z |
+---------------------------+--------------------------------------+
╭─ubuntu@neutron-devstack /opt/stack/neutron ‹master›
╰─➤ $ cat /etc/openstack/clouds.yaml
clouds:
devstack-admin-admin:
auth:
auth_url: http://192.168.1.20/identity
password: nomoresecret
project_domain_id: default
project_name: admin
user_domain_id: default
username: admin
identity_api_version: '3'
region_name: RegionOne
volume_api_version: '3'
devstack-alt-admin:
auth:
auth_url: http://192.168.1.20/identity
password: nomoresecret
project_domain_id: default
project_name: alt_demo
user_domain_id: default
username: alt_demo
identity_api_version: '3'
region_name: RegionOne
volume_api_version: '3'
I used the following configuration in neutron.conf:
[oslo_policy]
enforce_new_defaults = True
enforce_scope = True
policy_file = /etc/neutron/policy.json
As the administrator of a project, I wouldn't expect to have access to
networks not directly, or indirectly (public networks), associated to
my project.
I think this is only applicable in the lastest neutron branhches
(Wallaby M3) since the functionality just merged within the last
couple of weeks.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1919386/+subscriptions
Follow ups