yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2091536] [NEW] Users of RBAC-shared networks can add their own router to bypass fwaas restrictions

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Andrew Bonney <2091536@xxxxxxxxxxxxxxxxxx>
Date: Wed, 11 Dec 2024 09:13:54 -0000
Reply-to: Bug 2091536 <2091536@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

I don't believe this is a bug as such, but additional policy in this
area could be helpful.

We have a set of networks which are created against an admin project,
and then shared into other projects via RBAC as required. The admin
project creates a router for the networks, and we use FWaaS to restrict
inbound/outbound traffic via the router. This is being used in the
context of Ironic nodes which don't have security groups, and some VLAN
networks with additional hardware devices present.

We have noted that a user in a project which has access to the network
via RBAC can create an additional router and attach it to the network,
provided they do so by port rather than subnet as this won't use the
subnet's 'gateway IP'. The user can then associate floating IPs via
their router, and establish inbound and outbound connectivity provided
they override the DHCP-provided gateway address.

In order to work around this, we have modified code to restrict
attaching router interfaces to the network owner (admin in this case).
It wasn't possible to achieve this via the 'add_router_interface' policy
as the policy relates to the owner of the router rather than the owner
of the network. It would be helpful if the policy mechanism had the
means to address this.

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2091536

Title:
  Users of RBAC-shared networks can add their own router to bypass fwaas
  restrictions

Status in neutron:
  New

Bug description:
  I don't believe this is a bug as such, but additional policy in this
  area could be helpful.

  We have a set of networks which are created against an admin project,
  and then shared into other projects via RBAC as required. The admin
  project creates a router for the networks, and we use FWaaS to
  restrict inbound/outbound traffic via the router. This is being used
  in the context of Ironic nodes which don't have security groups, and
  some VLAN networks with additional hardware devices present.

  We have noted that a user in a project which has access to the network
  via RBAC can create an additional router and attach it to the network,
  provided they do so by port rather than subnet as this won't use the
  subnet's 'gateway IP'. The user can then associate floating IPs via
  their router, and establish inbound and outbound connectivity provided
  they override the DHCP-provided gateway address.

  In order to work around this, we have modified code to restrict
  attaching router interfaces to the network owner (admin in this case).
  It wasn't possible to achieve this via the 'add_router_interface'
  policy as the policy relates to the owner of the router rather than
  the owner of the network. It would be helpful if the policy mechanism
  had the means to address this.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2091536/+subscriptions