Reviewed: https://review.openstack.org/86360 Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=87f57c0a2cc00a70edc87c5dc10bdefb6c01587b Submitter: Jenkins Branch: milestone-proposed
commit 87f57c0a2cc00a70edc87c5dc10bdefb6c01587b Author: Andrew Laski <[email protected]> Date: Thu Mar 20 19:04:09 2014 -0400 Add RBAC policy for ec2 API security groups calls The revoke_security_group_ingress, revoke_security_group_ingress, and delete_security_group calls in the ec2 API were not restricted by policy checks. This prevented a deployer from restricting their usage via roles or other checks. Checks have been added for these calls. Closes-Bug: #1290537 Change-Id: I4bf681bedd68ed2216b429d34db735823e0a6189 (cherry picked from commit d4056f8723cc6cefb28ff6e5a7c0df5ea77f82ef) ** Changed in: nova Status: Fix Committed => Fix Released ** Changed in: nova/havana Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1290537 Title: RBAC policy not enforced when adding a security group rule using EC2 API (CVE-2014-0167) Status in OpenStack Compute (Nova): Fix Released Status in OpenStack Compute (nova) havana series: Fix Committed Status in OpenStack Security Advisories: Fix Committed Bug description: It seems that when using the EC2 API, the security group implementation does not enforce RBAC policy for the add_rules, remove_rules, destroy and other functions (in compute/api.py). Only the add_to_instance and remove_from_instance functions enforce RBAC. This seems like an oversight for obvious reasons. The Nova API security group implementation does enforce RBAC on these functions. In addition, the add_to_instance and remove_from _instance functions which are wrapped in RBAC verification use the "compute:security_groups" action which is not even listed in the default /etc/nova/policy.json. The latter is confusing to users. This is the case on Grizlly and at first glance, it doesn't look like this has changed in Havana. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1290537/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
