After discussing, the Vulnerability Management Team members have concluded that the in-progress but incomplete RBAC implementation in various projects does not rise to the level of requiring a published security advisory, particularly as this work is likely to take place primarily in development branches and not be backported to supported stable branches. Some clearer documentation on behalf of the implementing projects is likely warranted in order to warn users of the caveats and potential pitfalls of relying on RBAC in its current state, but that's separate from whether or not we publish advisories about any fixes which may merge to complete the implementation.
** Changed in: ossa Status: Incomplete => Won't Fix ** Tags added: security ** Information type changed from Public Security to Public -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1784259 Title: Neutron RBAC not working for multiple extensions Status in neutron: Confirmed Status in OpenStack Security Advisory: Won't Fix Bug description: * Description * Using QA automation as well as manual CLI validation, it appears to me as though many Neutron extensions aren't enforcing RBAC at all. This is because the extensions lack the "enforce_policy": True key/value pair in the extension resource definition code. Example: https://review.openstack.org/#/c/584217/2/neutron/extensions/subnet_service_types.py This appears to be affecting many Neutron extensions. * Pre-conditions * 1) Enable neutron-trunk plugin in local.conf by adding: enable_service neutron-trunk 2) Set create_trunk to "rule:admin_only" in /etc/neutron/policy.json, i.e.: "create_trunk": "rule:admin_only" or even "create_trunk": "!" which should deny absolutely everyone. 3) source ~/devstack/openrc demo demo or even source ~/devstack/openrc admin admin after setting "create_trunk" with the "!" rule. * Reproduction Steps * 1) Run the following CLI commands: - openstack network create test-network - openstack port create --enable --network test-network test-port - openstack network trunk create --parent-port test-port --enable --project demo test-trunk * Expected Output * Expected result: trunk creation fails with a 403 Unauthorized. * Actual Output * Observed result: trunk creation succeeds. * Affected Plugins * As far as I can tell: - subnet service type - subnet segment_id - trunks - trunk subports Possibly many more. * Outstanding Patches * Outstanding patches that begin fixing these issues: - https://review.openstack.org/#/c/584217/ (subnet service type RBAC fix) - https://review.openstack.org/#/c/584601/ (subnet segment_id RBAC fix) Validation patches that identify some of these issues: - https://review.openstack.org/#/c/584424/ - https://review.openstack.org/#/c/582388/ To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1784259/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp