Reviewed: https://review.opendev.org/c/openstack/neutron/+/886231
Committed:
https://opendev.org/openstack/neutron/commit/6e3525188fdfbe7fabd665e21df2068280471689
Submitter: "Zuul (22348)"
Branch: master
commit 6e3525188fdfbe7fabd665e21df2068280471689
Author: Slawek Kaplonski <skapl...@redhat.com>
Date: Thu Jun 15 12:59:03 2023 -0700
[S-RBAC] Fix policies for CUD subnets APIs
In new, secure RBAC policies for create subnet there was
rule "ADMIN_OR_PROJECT_MEMBER" used and that was wrong as this rule is
basically allows any member (PROJECT_MEMBER) create subnet in networks
visible to them, not necessarily this project needs to be owner of that
network. So it allowed users to create new subnets in the shared or
provider networks as well.
Now policy for create subnet is ADMIN OR NET_OWNER_MEMBER to avoid that.
Additionally this patch also fixes policies for update and delete subnet
APIs where there was rule NET_OWNER used and that effectively allowed to
update or delete subnet to the network owner who has READER role only.
Now this is also fixed by using NET_OWNER_MEMBER rule instead.
Closes-Bug: #2023679
Change-Id: Ia494872b58f368581fb29fa40b7da17e1071db22
** Changed in: neutron
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2023679
Title:
create_subnet policy allows users to create subnet in the shared
networks
Status in neutron:
Fix Released
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
## Context
We normally provide external network as a shared resource so any users can
use it.
But with this new scoped policy, users can create subnets in that external
network even if they are not the member of admin project.
```
"create_subnet": "(rule:admin_only) or (role:member and
project_id:%(project_id)s) or rule:network_owner"
```
If i remove `(role:member and project_id:%(project_id)s)` partial rule or
change `project_id:%(project_id)s` to `project_id:%(network:project_id)s`, then
it works as expected. i.e. users cannot create subnets in the external network.
## Expected result
Users should not be able to create subnets in shared networks or default
networks if they are not the member of the networks' owned projects.
## Version infor
release: stable/zed
I was able to reproduce it in zed Devstack also. Btw, master Devstack worsk
as expected.
## Workaround
We use deprecated rule `"create_subnet":"rule:admin_or_network_owner"` and it
works without any issue.
## Concern
- I am not sure why we need `(role:member and project_id:%(project_id)s)`
rule.
- I didn't have a chance to check other new policies if they also have such a
perm gap.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2023679/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
