← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #92530

[Bug 2023679] Re: create_subnet policy allows users to create subnet in the shared networks

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.opendev.org/c/openstack/neutron/+/886231
Committed: https://opendev.org/openstack/neutron/commit/6e3525188fdfbe7fabd665e21df2068280471689
Submitter: "Zuul (22348)"
Branch:    master

commit 6e3525188fdfbe7fabd665e21df2068280471689
Author: Slawek Kaplonski <skaplons@xxxxxxxxxx>
Date:   Thu Jun 15 12:59:03 2023 -0700

    [S-RBAC] Fix policies for CUD subnets APIs
    
    In new, secure RBAC policies for create subnet there was
    rule "ADMIN_OR_PROJECT_MEMBER" used and that was wrong as this rule is
    basically allows any member (PROJECT_MEMBER) create subnet in networks
    visible to them, not necessarily this project needs to be owner of that
    network. So it allowed users to create new subnets in the shared or
    provider networks as well.
    Now policy for create subnet is ADMIN OR NET_OWNER_MEMBER to avoid that.
    
    Additionally this patch also fixes policies for update and delete subnet
    APIs where there was rule NET_OWNER used and that effectively allowed to
    update or delete subnet to the network owner who has READER role only.
    Now this is also fixed by using NET_OWNER_MEMBER rule instead.
    
    Closes-Bug: #2023679
    
    Change-Id: Ia494872b58f368581fb29fa40b7da17e1071db22


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2023679

Title:
  create_subnet policy allows users to create subnet in the shared
  networks

Status in neutron:
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  ## Context
  We normally provide external network as a shared resource so any users can use it.
  But with this new scoped policy, users can create subnets in that external network even if they are not the member of admin project.
  ```
  "create_subnet": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:network_owner"
  ```
  If i remove `(role:member and project_id:%(project_id)s)` partial rule or change `project_id:%(project_id)s` to `project_id:%(network:project_id)s`, then it works as expected. i.e. users cannot create subnets in the external network.

  ## Expected result
  Users should not be able to create subnets in shared networks or default networks if they are not the member of the networks' owned projects.

  ## Version infor
  release: stable/zed
  I was able to reproduce it in zed Devstack also. Btw, master Devstack worsk as expected.

  ## Workaround
  We use deprecated rule `"create_subnet":"rule:admin_or_network_owner"` and it works without any issue.

  ## Concern
  - I am not sure why we need `(role:member and project_id:%(project_id)s)` rule.
  - I didn't have a chance to check other new policies if they also have such a perm gap.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2023679/+subscriptions
  Thread PreviousDate PreviousThread Next