yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #89628
[Bug 1988026] Re: Neutron should not create security group with project==None
** Also affects: ossa
Importance: Undecided
Status: New
** Information type changed from Public to Public Security
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1988026
Title:
Neutron should not create security group with project==None
Status in neutron:
New
Status in OpenStack Security Advisory:
New
Bug description:
When a non-admin user tries to list security groups for project_id
"None", Neutron creates a default security group for that project and
returns an empty list to the caller.
To reproduce:
openstack --os-cloud devstack security group list --project None
openstack --os-cloud devstack-admin security group list
The API call that is made is essentially
GET /networking/v2.0/security-groups?project_id=None
The expected result would be an authorization failure, since normal
users should not be allowed to list security groups for other
projects.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1988026/+subscriptions
References