yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2098109] Re: Regular user can modify router SNAT flag

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <2098109@xxxxxxxxxxxxxxxxxx>
Date: Sat, 22 Feb 2025 03:55:39 -0000
Reply-to: Bug 2098109 <2098109@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/c/openstack/neutron-lib/+/942064
Committed: https://opendev.org/openstack/neutron-lib/commit/bf21a6dcd48bdd15c28086f256319ac035b7fef0
Submitter: "Zuul (22348)"
Branch:    master

commit bf21a6dcd48bdd15c28086f256319ac035b7fef0
Author: Rodolfo Alonso Hernandez <ralonsoh@xxxxxxxxxx>
Date:   Tue Feb 18 06:43:19 2025 +0000

    Fix ``external-gateway-multihoming`` API extension definition
    
    The new field ``external-gateways`` added in the API extension
    ``external-gateway-multihoming`` didn't have the ``enforce_policy`` flag
    defined and the validate parameters didn't provide the needed
    information to the Neutron policy to build a correct rule match.
    Now this field copies the ``ext-gw-mode`` extension validator used in
    the ``external_gateway_info`` field.
    
    The validator type ``list_of_dict_or_nodata`` is currently not
    recognized by the Neutron policy as an iterable validator [1]; this
    code must be changed in Neutron in order to accept this new defined
    validator that is not a dictionary but a list of dictionaries.
    
    [1]https://github.com/openstack/neutron/blob/86f94de99aa08b1b4aadca8e90c6e79487171b8e/neutron/policy.py#L142
    
    Closes-Bug: #2098109
    Change-Id: I592f7ff0673c15276e9da0054fd38f7ad96f795a


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2098109

Title:
  Regular user can modify router SNAT flag

Status in neutron:
  Fix Released
Status in OpenStack Security Advisory:
  Incomplete

Bug description:
  The Neutron policy 'update_router:external_gateway_info:enable_snat'
  is, by default, available for an admin user only. However this command
  is succeeding with a regular user.

  How to reproduce it in a devstack deployment (no additional policies configured, using the default ones):
  $ . /opt/stack/devstack/openrc demo demo
  $ openstack router create r1
  $ openstack router set --external-gateway public r1
  $ openstack router set --disable-snat --external-gateway public r1

  This last command should fail for "demo" user.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2098109/+subscriptions