yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2019960] Re: Can't protect the "default" security group from regular users

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Elvira García Ruiz <2019960@xxxxxxxxxxxxxxxxxx>
Date: Thu, 18 May 2023 13:49:50 -0000
Reply-to: Bug 2019960 <2019960@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

I see, thanks for the background! :) At first sight it looks like an RFE
then, but will ask other developers to further discuss this.

** Changed in: neutron
Importance: Wishlist => Undecided

** Changed in: neutron
Status: Opinion => New

--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2019960

Title:
Can't protect the "default" security group from regular users

Status in neutron:
New

Bug description:
The 'default' security group is applied to all VMs in a tenant. This
means that tampering with it from one user can prevent other users'
VMs from working (e.g. deleting the "ssh ingress" rule). While you can
limit actions on the whole security group matching the "name" field
(field:security_groups:name=default), when limiting APIs dealing with
SG *rules* there is no way of accessing the SG the rule belongs to.
This means I can prevent deletion of rules from any SG - disallowing a
regular user from managing her own SG - or I must let her delete rules
from any SG.

Steps to reproduce:

- policy.yaml

"sg_is_default": "field:security_groups:name=default"
"delete_security_group_rule": "role:member and project_id:%(project_id)s and not rule:sg_is_default or (rule:sg_is_default and role:admin)"

- user can still delete rules from 'default'

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2019960/+subscriptions

References

[Bug 2019960] [NEW] Can't protect the "default" security group from regular users
From: Paolo E. Mazzon, 2023-05-17