yahoo-eng-team team mailing list archive

[OpenStack Infra <1988026@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.opendev.org/c/openstack/neutron/+/855580
Committed: https://opendev.org/openstack/neutron/commit/01fc2b9195f999df4d810df4ee63f77ecbc81f7e
Submitter: "Zuul (22348)"
Branch:    master

commit 01fc2b9195f999df4d810df4ee63f77ecbc81f7e
Author: Brian Haley <haleyb.dev@xxxxxxxxx>
Date:   Thu Sep 1 21:13:44 2022 -0400

    Do not allow a tenant to create a default SG for another one
    
    The attempt to list security groups for a project, or any
    random string, can create a default SG for it. Only allow if
    privileges support it.
    
    Closes-bug: #1988026
    
    Change-Id: Ieef7011f48cd2188d4254ff16d90a6465bbabfe3


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1988026

Title:
  Neutron should not create security group with project==None

Status in neutron:
  Fix Released
Status in OpenStack Security Advisory:
  New

Bug description:
  When a non-admin user tries to list security groups for project_id
  "None", Neutron creates a default security group for that project and
  returns an empty list to the caller.

  To reproduce:

  openstack --os-cloud devstack security group list --project None
  openstack --os-cloud devstack-admin security group list

  The API call that is made is essentially

  GET /networking/v2.0/security-groups?project_id=None

  The expected result would be an authorization failure, since normal
  users should not be allowed to list security groups for other
  projects.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1988026/+subscriptions