[Yahoo-eng-team] [Bug 2019960] Re: [RFE] Can't protect the "default" security group from regular users

Wed, 11 Oct 2023 06:23:29 -0700 

Reviewed:  https://review.opendev.org/c/openstack/neutron/+/896222
Committed: 
https://opendev.org/openstack/neutron/commit/96223931cae782a997271c17ea8092ed277d2db3
Submitter: "Zuul (22348)"
Branch:    master

commit 96223931cae782a997271c17ea8092ed277d2db3
Author: Rodolfo Alonso Hernandez <[email protected]>
Date:   Tue Oct 3 14:34:55 2023 +0000

    Create a policy rule to control if a rule belongs to the default SG
    
    The policy rule ``shared_security_group`` allows to create new policy
    rules checking if a security group rule belongs or not to the project
    default security group.
    
    By default the behaviour has not changed. If an administrator wants
    to prevent a non-privileged user from creating or deleting rules in the
    default security group, the ``create_security_group_rule`` and
    ``delete_security_group_rule`` can be overriden. An example is provided
    in the unit tests.
    
    Closes-Bug: #2019960
    
    Change-Id: I6c90b61df0e726ef07f177801069baf30c49de67


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2019960

Title:
  [RFE] Can't protect the "default" security group from regular users

Status in neutron:
  Fix Released

Bug description:
  The 'default' security group is applied to all VMs in a tenant. This
  means that tampering with it from one user can prevent other users'
  VMs from working (e.g. deleting the "ssh ingress" rule). While you can
  limit actions on the whole security group matching the "name" field
  (field:security_groups:name=default), when limiting APIs dealing with
  SG *rules* there is no way of accessing the SG the rule belongs to.
  This means I can prevent deletion of rules from any SG - disallowing a
  regular user from managing her own SG - or I must let her delete rules
  from any SG.

  Steps to reproduce:

  - policy.yaml

  "sg_is_default": "field:security_groups:name=default"
  "delete_security_group_rule": "role:member and project_id:%(project_id)s and 
not rule:sg_is_default  or (rule:sg_is_default and role:admin)"

  - user can still delete rules from 'default'

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2019960/+subscriptions


-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to