It is fixed by https://review.opendev.org/c/openstack/horizon/+/774922
** Changed in: horizon
Status: New => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1915308
Title:
security group table doesn't observe Neutron policy settings
Status in OpenStack Dashboard (Horizon):
Fix Released
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
The security group panel enables all actions
(create/edit/delete/manage rules/etc.) regardless of the network
policy.yaml settings or user account.
In the code there's this telling readme:
# TODO(amotoki): [drop-nova-network] Add neutron policy support
In my deployment this is a bit alarming -- users who are intended to
be read-only are nonetheless invited to delete things. Of course the
Neutron backend /does/ observe the policy so this is ugly but not
usually an actual security risk unless people have different back-end
and front-end policy files.
I'm flagging as security-related nonetheless for the odd edge case
where it poses a risk.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1915308/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
