← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #92371

[Bug 2019960] Re: Can't protect the "default" security group from regular users

  Thread PreviousDate PreviousThread Next 
Hi there! Thanks for your report.

My initial thought on this is that maybe if you want to prevent a user
from modifying the security group of other user, using different
projects might be a good idea for that, since then the user will be
isolated on their project and not able to change the security groups or
any other resource from a project they don't have access to.

However there might be a different use case I'm not aware of that cannot
be resolved this way, I will be happy to know more about it. For now I'm
setting this as opinion since this is expected behaviour and not a bug,
but we can keep discussing and change the status as needed.

** Changed in: neutron
       Status: New => Opinion

** Changed in: neutron
   Importance: Undecided => Wishlist

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2019960

Title:
  Can't protect the "default" security group from regular users

Status in neutron:
  Opinion

Bug description:
  The 'default' security group is applied to all VMs in a tenant. This
  means that tampering with it from one user can prevent other users'
  VMs from working (e.g. deleting the "ssh ingress" rule). While you can
  limit actions on the whole security group matching the "name" field
  (field:security_groups:name=default), when limiting APIs dealing with
  SG *rules* there is no way of accessing the SG the rule belongs to.
  This means I can prevent deletion of rules from any SG - disallowing a
  regular user from managing her own SG - or I must let her delete rules
  from any SG.

  Steps to reproduce:

  - policy.yaml

  "sg_is_default": "field:security_groups:name=default"
  "delete_security_group_rule": "role:member and project_id:%(project_id)s and not rule:sg_is_default  or (rule:sg_is_default and role:admin)"

  - user can still delete rules from 'default'

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2019960/+subscriptions

References

  Thread PreviousDate PreviousThread Next