yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1657406] Re: admin users can access resources from other projects

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Rodolfo Alonso <1657406@xxxxxxxxxxxxxxxxxx>
Date: Wed, 19 Oct 2022 11:41:17 -0000
Reply-to: Bug 1657406 <1657406@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Bug closed due to lack of activity, please feel free to reopen if
needed.

** Changed in: neutron
Status: Confirmed => Won't Fix

--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1657406

Title:
admin users can access resources from other projects

Status in neutron:
Won't Fix

Bug description:
We're seeing a similar problem like the one described in
https://bugs.launchpad.net/nova/+bug/1046054 for the Neutron endpoint
/v2.0/security-groups in Mitaka.

Making a project-scoped request to this endpoint with an admin user
returns a list of security groups including all security groups of all
projects. Also PUT or POST request do work for security group in
another project. The same applies to endpoint /v2.0/networks/. Note
that this does not apply for e.g. nova's server resource, but might
apply to other resources as well.

OpenStack version: Mitaka

How to reproduce:
1. Create two projects A and B
2. Create a new user 'UserA'
2. Assign 'UserA' to the project A and give her the role admin
3. Use the openstack cli or curl to make a GET request to /v2.0/security-groups with an auth scope for project A
=> The security groups of project B (and potentially all other projects in the OpenStack installation) are part of the response.

Not sure if this is related to bug
https://bugs.launchpad.net/keystone/+bug/968696

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1657406/+subscriptions