yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2101150] [NEW] User who is not owner of the SG can create/delete rules in the shared SG

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Slawek Kaplonski <2101150@xxxxxxxxxxxxxxxxxx>
Date: Fri, 07 Mar 2025 13:50:48 -0000
Reply-to: Bug 2101150 <2101150@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

If the SG is shared with other project using RBAC mechanism in Neutron,
users from the target project can see and use such SG but can't modify
it by default as by default modifying SGs is only allowed for admin and
owner of the SG:
https://github.com/openstack/neutron/blob/5c22bcca010e5bef285362bbca465b548c7ecd14/neutron/conf/policies/security_group.py#L153

But such user who just see SG as shared with them can still create or
delete SG rules in such SG because for the SG rules there are other API
policies and those don't check owner of the SG:
https://github.com/openstack/neutron/blob/5c22bcca010e5bef285362bbca465b548c7ecd14/neutron/conf/policies/security_group.py#L214

Creating SG rule is like modifcation of the SG really thus IMO it should
by default mimic API policies for the SGs and creation/deletion of the
SG rules in such case should be allowed only for admin and owner of the
SG. To do that we should change our default API policies for
"create_security_group_rule" and "delete_security_group_rule" to
"rule:admin_or_sg_owner"

** Affects: neutron
     Importance: High
     Assignee: Slawek Kaplonski (slaweq)
         Status: New


** Tags: api

** Changed in: neutron
   Importance: Medium => High

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2101150

Title:
  User who is not owner of the SG can create/delete rules in the shared
  SG

Status in neutron:
  New

Bug description:
  If the SG is shared with other project using RBAC mechanism in
  Neutron, users from the target project can see and use such SG but
  can't modify it by default as by default modifying SGs is only allowed
  for admin and owner of the SG:
  https://github.com/openstack/neutron/blob/5c22bcca010e5bef285362bbca465b548c7ecd14/neutron/conf/policies/security_group.py#L153

  But such user who just see SG as shared with them can still create or
  delete SG rules in such SG because for the SG rules there are other
  API policies and those don't check owner of the SG:
  https://github.com/openstack/neutron/blob/5c22bcca010e5bef285362bbca465b548c7ecd14/neutron/conf/policies/security_group.py#L214

  Creating SG rule is like modifcation of the SG really thus IMO it
  should by default mimic API policies for the SGs and creation/deletion
  of the SG rules in such case should be allowed only for admin and
  owner of the SG. To do that we should change our default API policies
  for "create_security_group_rule" and "delete_security_group_rule" to
  "rule:admin_or_sg_owner"

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2101150/+subscriptions

Follow ups

[Bug 2101150] Re: User who is not owner of the SG can create/delete rules in the shared SG
From: OpenStack Infra, 2025-03-13