Looks like my comment raced Slawek's second. If there is no change planned to the default policy nor specific recommendations for operators to adjust their own, then an OSSN wouldn't be appropriate either.
It's possible this is merely a case that needs to be more clearly explained in Neutron's documentation, or some UX improvement (OSC, Horizon...) when listing to make it more obvious who shared a particular network or security group. ** No longer affects: ossn -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/2054590 Title: Sharing of networks and security groups in OpenStack Status in neutron: Opinion Status in OpenStack Security Advisory: Won't Fix Bug description: I have been looking into the possibility of sharing security groups cloud-wide. I found the following command "openstack network rbac create ...". But I expected from a security perspective, that only admins (== cloud operator) should be able to use this. I found out that as a user with the member role, i could also share security groups with a project as long as i know the name of the project. And not only that, I was also able to share a network, that can be found, when searching for external networks (It is a private network): ``` $ openstack network rbac create --target-project test-proj-2 --action access_as_shared --type security_group 44c6734a-baf7-4e90-8ba4-27001342d9ea +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | action | access_as_shared | | id | 8f5ea6a4-adbe-4bfa-88af-5205853cf01c | | object_id | 44c6734a-baf7-4e90-8ba4-27001342d9ea | | object_type | security_group | | project_id | 8c59028a6e5144a78dfee2364d529070 | | target_project_id | test-proj-2 | +-------------------+--------------------------------------+ $ openstack network rbac create --target-project test-proj-2 --action access_as_external --type network test-net2 +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | action | access_as_external | | id | 33ec8b68-49bd-49c8-8216-78619f4de557 | | object_id | 1bfab47d-b2f7-4c1b-a797-ba9d79121af7 | | object_type | network | | project_id | 8c59028a6e5144a78dfee2364d529070 | | target_project_id | test-proj-2 | +-------------------+--------------------------------------+ $ openstack network rbac list --long +-----------------------------------+----------------+------------------------------------+--------------------+ | ID | Object Type | Object ID | Action | +-----------------------------------+----------------+------------------------------------+--------------------+ | 84d026d9-619b-487a-825f- | security_group | a4c7070f-b7c8-499c-91aa- | access_as_shared | | c35c67869162 | | b6cf1c7cc1f1 | | | 8f5ea6a4-adbe-4bfa-88af- | security_group | 44c6734a-baf7-4e90-8ba4- | access_as_shared | | 5205853cf01c | | 27001342d9ea | | | 33ec8b68-49bd-49c8-8216- | network | 1bfab47d-b2f7-4c1b-a797- | access_as_external | | 78619f4de557 | | ba9d79121af7 | | +-----------------------------------+----------------+------------------------------------+--------------------+ ``` An admin can see the new "external network": ``` $ openstack network list --external +------------------------------+-----------+------------------------------+ | ID | Name | Subnets | +------------------------------+-----------+------------------------------+ | 1bfab47d-b2f7-4c1b-a797- | test-net2 | | | ba9d79121af7 | | | | 73edb86b-d7ab-4db3-82b7- | public | 3e0206bc-53c8-44ca-a0f1- | | 25fa8b012e40 | | 2c2548bba766, 84dffd43-6d7f- | | | | 4c2f-9180-8f0f0b83c9d4 | +------------------------------+-----------+------------------------------+ ``` From my perspective this could be used to advertise security groups or even networks to other projects and their users. What could be used in a social engineering way to get access to the network traffic or access to VMs. There is a policy, that can be changed to admin only access to this endpoint in the neutron policy file: ``` "create_rbac_policy": "rule:admin_only" "create_rbac_policy:target_tenant": "rule:admin_only" ``` I just wonder: this seems to be explicitly implemented this way. Is this behavior really wanted? In my opinion the default should be to only let administrators do such things as sharing networks or security groups. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/2054590/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
