← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #93587

[Bug 2054590] Re: Sharing of networks and security groups in OpenStack

  Thread PreviousDate PreviousThread Next 
Looks like my comment raced Slawek's second. If there is no change
planned to the default policy nor specific recommendations for operators
to adjust their own, then an OSSN wouldn't be appropriate either.

It's possible this is merely a case that needs to be more clearly
explained in Neutron's documentation, or some UX improvement (OSC,
Horizon...) when listing to make it more obvious who shared a particular
network or security group.

** No longer affects: ossn

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2054590

Title:
  Sharing of networks and security groups in OpenStack

Status in neutron:
  Opinion
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  I have been looking into the possibility of sharing security groups
  cloud-wide. I found the following command "openstack network rbac
  create ...". But I expected from a security perspective, that only
  admins (== cloud operator) should be able to use this.

  I found out that as a user with the member role, i could also share security groups with a project as long as i know the name of the project. And not only that, I was also able to share a network, that can be found, when searching for external networks (It is a private network):
  ```

  $ openstack network rbac create --target-project test-proj-2 --action access_as_shared --type security_group 44c6734a-baf7-4e90-8ba4-27001342d9ea
  +-------------------+--------------------------------------+
  | Field             | Value                                |
  +-------------------+--------------------------------------+
  | action            | access_as_shared                     |
  | id                | 8f5ea6a4-adbe-4bfa-88af-5205853cf01c |
  | object_id         | 44c6734a-baf7-4e90-8ba4-27001342d9ea |
  | object_type       | security_group                       |
  | project_id        | 8c59028a6e5144a78dfee2364d529070     |
  | target_project_id | test-proj-2                          |
  +-------------------+--------------------------------------+

  $ openstack network rbac create --target-project test-proj-2 --action access_as_external --type network test-net2
  +-------------------+--------------------------------------+
  | Field             | Value                                |
  +-------------------+--------------------------------------+
  | action            | access_as_external                   |
  | id                | 33ec8b68-49bd-49c8-8216-78619f4de557 |
  | object_id         | 1bfab47d-b2f7-4c1b-a797-ba9d79121af7 |
  | object_type       | network                              |
  | project_id        | 8c59028a6e5144a78dfee2364d529070     |
  | target_project_id | test-proj-2                          |
  +-------------------+--------------------------------------+

  $ openstack network rbac list --long
  +-----------------------------------+----------------+------------------------------------+--------------------+
  | ID                                | Object Type    | Object ID                          | Action             |
  +-----------------------------------+----------------+------------------------------------+--------------------+
  | 84d026d9-619b-487a-825f-          | security_group | a4c7070f-b7c8-499c-91aa-           | access_as_shared   |
  | c35c67869162                      |                | b6cf1c7cc1f1                       |                    |
  | 8f5ea6a4-adbe-4bfa-88af-          | security_group | 44c6734a-baf7-4e90-8ba4-           | access_as_shared   |
  | 5205853cf01c                      |                | 27001342d9ea                       |                    |
  | 33ec8b68-49bd-49c8-8216-          | network        | 1bfab47d-b2f7-4c1b-a797-           | access_as_external |
  | 78619f4de557                      |                | ba9d79121af7                       |                    |
  +-----------------------------------+----------------+------------------------------------+--------------------+

  ```
  An admin can see the new "external network":
  ```

  $ openstack network list --external
  +------------------------------+-----------+------------------------------+
  | ID                           | Name      | Subnets                      |
  +------------------------------+-----------+------------------------------+
  | 1bfab47d-b2f7-4c1b-a797-     | test-net2 |                              |
  | ba9d79121af7                 |           |                              |
  | 73edb86b-d7ab-4db3-82b7-     | public    | 3e0206bc-53c8-44ca-a0f1-     |
  | 25fa8b012e40                 |           | 2c2548bba766, 84dffd43-6d7f- |
  |                              |           | 4c2f-9180-8f0f0b83c9d4       |
  +------------------------------+-----------+------------------------------+

  ```

  From my perspective this could be used to advertise security groups or
  even networks to other projects and their users. What could be used in
  a social engineering way to get access to the network traffic or
  access to VMs.

  There is a policy, that can be changed to admin only access to this
  endpoint in the neutron policy file:

  ```

  "create_rbac_policy": "rule:admin_only"
  "create_rbac_policy:target_tenant": "rule:admin_only"

  ```

  I just wonder: this seems to be explicitly implemented this way. Is
  this behavior really wanted? In my opinion the default should be to
  only let administrators do such things as sharing networks or security
  groups.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2054590/+subscriptions
  Thread PreviousDate PreviousThread Next