← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 2019960] [NEW] Can't protect the "default" security group from regular users

 

Public bug reported:

The 'default' security group is applied to all VMs in a tenant. This
means that tampering with it from one user can prevent other users' VMs
from working (e.g. deleting the "ssh ingress" rule). While you can limit
actions on the whole security group matching the "name" field
(field:security_groups:name=default), when limiting APIs dealing with SG
*rules* there is no way of accessing the SG the rule belongs to. This
means I can prevent deletion of rules from any SG - disallowing a
regular user from managing her own SG - or I must let her delete rules
from any SG.

Steps to reproduce:

- policy.yaml

"sg_is_default": "field:security_groups:name=default"
"delete_security_group_rule": "role:member and project_id:%(project_id)s and not rule:sg_is_default  or (rule:sg_is_default and role:admin)"

- user can still delete rules from 'default'

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2019960

Title:
  Can't protect the "default" security group from regular users

Status in neutron:
  New

Bug description:
  The 'default' security group is applied to all VMs in a tenant. This
  means that tampering with it from one user can prevent other users'
  VMs from working (e.g. deleting the "ssh ingress" rule). While you can
  limit actions on the whole security group matching the "name" field
  (field:security_groups:name=default), when limiting APIs dealing with
  SG *rules* there is no way of accessing the SG the rule belongs to.
  This means I can prevent deletion of rules from any SG - disallowing a
  regular user from managing her own SG - or I must let her delete rules
  from any SG.

  Steps to reproduce:

  - policy.yaml

  "sg_is_default": "field:security_groups:name=default"
  "delete_security_group_rule": "role:member and project_id:%(project_id)s and not rule:sg_is_default  or (rule:sg_is_default and role:admin)"

  - user can still delete rules from 'default'

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2019960/+subscriptions



Follow ups