Reviewed: https://review.opendev.org/c/openstack/neutron/+/855580 Committed: https://opendev.org/openstack/neutron/commit/01fc2b9195f999df4d810df4ee63f77ecbc81f7e Submitter: "Zuul (22348)" Branch: master
commit 01fc2b9195f999df4d810df4ee63f77ecbc81f7e Author: Brian Haley <[email protected]> Date: Thu Sep 1 21:13:44 2022 -0400 Do not allow a tenant to create a default SG for another one The attempt to list security groups for a project, or any random string, can create a default SG for it. Only allow if privileges support it. Closes-bug: #1988026 Change-Id: Ieef7011f48cd2188d4254ff16d90a6465bbabfe3 ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1988026 Title: Neutron should not create security group with project==None Status in neutron: Fix Released Status in OpenStack Security Advisory: New Bug description: When a non-admin user tries to list security groups for project_id "None", Neutron creates a default security group for that project and returns an empty list to the caller. To reproduce: openstack --os-cloud devstack security group list --project None openstack --os-cloud devstack-admin security group list The API call that is made is essentially GET /networking/v2.0/security-groups?project_id=None The expected result would be an authorization failure, since normal users should not be allowed to list security groups for other projects. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1988026/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
