yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #92367
[Bug 2019960] [NEW] Can't protect the "default" security group from regular users
Public bug reported:
The 'default' security group is applied to all VMs in a tenant. This
means that tampering with it from one user can prevent other users' VMs
from working (e.g. deleting the "ssh ingress" rule). While you can limit
actions on the whole security group matching the "name" field
(field:security_groups:name=default), when limiting APIs dealing with SG
*rules* there is no way of accessing the SG the rule belongs to. This
means I can prevent deletion of rules from any SG - disallowing a
regular user from managing her own SG - or I must let her delete rules
from any SG.
Steps to reproduce:
- policy.yaml
"sg_is_default": "field:security_groups:name=default"
"delete_security_group_rule": "role:member and project_id:%(project_id)s and not rule:sg_is_default or (rule:sg_is_default and role:admin)"
- user can still delete rules from 'default'
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2019960
Title:
Can't protect the "default" security group from regular users
Status in neutron:
New
Bug description:
The 'default' security group is applied to all VMs in a tenant. This
means that tampering with it from one user can prevent other users'
VMs from working (e.g. deleting the "ssh ingress" rule). While you can
limit actions on the whole security group matching the "name" field
(field:security_groups:name=default), when limiting APIs dealing with
SG *rules* there is no way of accessing the SG the rule belongs to.
This means I can prevent deletion of rules from any SG - disallowing a
regular user from managing her own SG - or I must let her delete rules
from any SG.
Steps to reproduce:
- policy.yaml
"sg_is_default": "field:security_groups:name=default"
"delete_security_group_rule": "role:member and project_id:%(project_id)s and not rule:sg_is_default or (rule:sg_is_default and role:admin)"
- user can still delete rules from 'default'
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2019960/+subscriptions
Follow ups