yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1988026] Re: Neutron should not create security group with project==None

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jeremy Stanley <1988026@xxxxxxxxxxxxxxxxxx>
Date: Thu, 01 Sep 2022 22:20:31 -0000
Reply-to: Bug 1988026 <1988026@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

** Also affects: ossa
   Importance: Undecided
       Status: New

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1988026

Title:
  Neutron should not create security group with project==None

Status in neutron:
  New
Status in OpenStack Security Advisory:
  New

Bug description:
  When a non-admin user tries to list security groups for project_id
  "None", Neutron creates a default security group for that project and
  returns an empty list to the caller.

  To reproduce:

  openstack --os-cloud devstack security group list --project None
  openstack --os-cloud devstack-admin security group list

  The API call that is made is essentially

  GET /networking/v2.0/security-groups?project_id=None

  The expected result would be an authorization failure, since normal
  users should not be allowed to list security groups for other
  projects.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1988026/+subscriptions

References

[Bug 1988026] [NEW] Neutron should not create security group with project==None
From: Dr. Jens Harbott, 2022-08-29