← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1657406] Re: admin users can access resources from other projects

 

Bug closed due to lack of activity, please feel free to reopen if
needed.

** Changed in: neutron
       Status: Confirmed => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1657406

Title:
  admin users can access resources from other projects

Status in neutron:
  Won't Fix

Bug description:
  We're seeing a similar problem like the one described in
  https://bugs.launchpad.net/nova/+bug/1046054 for the Neutron endpoint
  /v2.0/security-groups in Mitaka.

  Making a project-scoped request to this endpoint with an admin user
  returns a list of security groups including all security groups of all
  projects. Also PUT or POST request do work for security group in
  another project. The same applies to endpoint /v2.0/networks/. Note
  that this does not apply for e.g. nova's server resource, but might
  apply to other resources as well.

  OpenStack version: Mitaka

  How to reproduce:
  1. Create two projects A and B
  2. Create a new user 'UserA'
  2. Assign 'UserA' to the project A and give her the role admin
  3. Use the openstack cli or curl to make a GET request to /v2.0/security-groups with an auth scope for project A
  => The security groups of project B (and potentially all other projects in the OpenStack installation) are part of the response.

  Not sure if this is related to bug
  https://bugs.launchpad.net/keystone/+bug/968696

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1657406/+subscriptions