Public bug reported:
I don't believe this is a bug as such, but additional policy in this
area could be helpful.
We have a set of networks which are created against an admin project,
and then shared into other projects via RBAC as required. The admin
project creates a router for the networks, and we use FWaaS to restrict
inbound/outbound traffic via the router. This is being used in the
context of Ironic nodes which don't have security groups, and some VLAN
networks with additional hardware devices present.
We have noted that a user in a project which has access to the network
via RBAC can create an additional router and attach it to the network,
provided they do so by port rather than subnet as this won't use the
subnet's 'gateway IP'. The user can then associate floating IPs via
their router, and establish inbound and outbound connectivity provided
they override the DHCP-provided gateway address.
In order to work around this, we have modified code to restrict
attaching router interfaces to the network owner (admin in this case).
It wasn't possible to achieve this via the 'add_router_interface' policy
as the policy relates to the owner of the router rather than the owner
of the network. It would be helpful if the policy mechanism had the
means to address this.
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2091536
Title:
Users of RBAC-shared networks can add their own router to bypass fwaas
restrictions
Status in neutron:
New
Bug description:
I don't believe this is a bug as such, but additional policy in this
area could be helpful.
We have a set of networks which are created against an admin project,
and then shared into other projects via RBAC as required. The admin
project creates a router for the networks, and we use FWaaS to
restrict inbound/outbound traffic via the router. This is being used
in the context of Ironic nodes which don't have security groups, and
some VLAN networks with additional hardware devices present.
We have noted that a user in a project which has access to the network
via RBAC can create an additional router and attach it to the network,
provided they do so by port rather than subnet as this won't use the
subnet's 'gateway IP'. The user can then associate floating IPs via
their router, and establish inbound and outbound connectivity provided
they override the DHCP-provided gateway address.
In order to work around this, we have modified code to restrict
attaching router interfaces to the network owner (admin in this case).
It wasn't possible to achieve this via the 'add_router_interface'
policy as the policy relates to the owner of the router rather than
the owner of the network. It would be helpful if the policy mechanism
had the means to address this.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2091536/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
