** Changed in: neutron/havana
Status: In Progress => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1357379
Title:
policy admin_only rules not enforced when changing value to default
(CVE-2014-6414)
Status in OpenStack Neutron (virtual network service):
Fix Committed
Status in neutron havana series:
Invalid
Status in neutron icehouse series:
In Progress
Status in OpenStack Security Advisories:
In Progress
Bug description:
If a non-admin user tries to update an attribute, which should be
updated only by admin, from a non-default value to default, the
update is successfully performed and PolicyNotAuthorized exception is
not raised.
The reason is that when a rule to match for a given action is built
there is a verification that each attribute in a body of the resource
is present and has a non-default value. Thus, if we try to change some
attribute's value to default, it is not considered to be explicitly
set and a corresponding rule is not enforced.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1357379/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
