After discussing, the Vulnerability Management Team members have
concluded that the in-progress but incomplete RBAC implementation in
various projects does not rise to the level of requiring a published
security advisory, particularly as this work is likely to take place
primarily in development branches and not be backported to supported
stable branches. Some clearer documentation on behalf of the
implementing projects is likely warranted in order to warn users of the
caveats and potential pitfalls of relying on RBAC in its current state,
but that's separate from whether or not we publish advisories about any
fixes which may merge to complete the implementation.
** Changed in: ossa
Status: Incomplete => Won't Fix
** Tags added: security
** Information type changed from Public Security to Public
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1784259
Title:
Neutron RBAC not working for multiple extensions
Status in neutron:
Confirmed
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
* Description *
Using QA automation as well as manual CLI validation, it appears to me
as though many Neutron extensions aren't enforcing RBAC at all. This
is because the extensions lack the "enforce_policy": True key/value
pair in the extension resource definition code. Example:
https://review.openstack.org/#/c/584217/2/neutron/extensions/subnet_service_types.py
This appears to be affecting many Neutron extensions.
* Pre-conditions *
1) Enable neutron-trunk plugin in local.conf by adding: enable_service
neutron-trunk
2) Set create_trunk to "rule:admin_only" in /etc/neutron/policy.json, i.e.:
"create_trunk": "rule:admin_only" or even "create_trunk": "!" which should deny
absolutely everyone.
3) source ~/devstack/openrc demo demo or even source ~/devstack/openrc admin
admin after setting "create_trunk" with the "!" rule.
* Reproduction Steps *
1) Run the following CLI commands:
- openstack network create test-network
- openstack port create --enable --network test-network test-port
- openstack network trunk create --parent-port test-port --enable --project
demo test-trunk
* Expected Output *
Expected result: trunk creation fails with a 403 Unauthorized.
* Actual Output *
Observed result: trunk creation succeeds.
* Affected Plugins *
As far as I can tell:
- subnet service type
- subnet segment_id
- trunks
- trunk subports
Possibly many more.
* Outstanding Patches *
Outstanding patches that begin fixing these issues:
- https://review.openstack.org/#/c/584217/ (subnet service type RBAC fix)
- https://review.openstack.org/#/c/584601/ (subnet segment_id RBAC fix)
Validation patches that identify some of these issues:
- https://review.openstack.org/#/c/584424/
- https://review.openstack.org/#/c/582388/
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1784259/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
