Any user can set a network as external
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
High
|
Elena Ezhova | ||
Icehouse |
Fix Released
|
High
|
Tristan Cacqueray |
Bug Description
Even though the default policy.json restrict the creation of external networks to admin_only, any user can update a network as external.
I could verify this with the following test (PseudoPython):
project: ProjectA
user: ProjectMemberA has Member role on project ProjectA.
with network(
project_
def update_
body = {
}
}
if name is not None:
if shared is not None:
if router_external is not None:
The expected behaviour is that the operation should not be allowed, but the user without admin privileges is able to perform such change.
Trying to add an "update_
Changed in neutron: | |
assignee: | Eugene Nikanorov (enikanorov) → Elena Ezhova (eezhova) |
Changed in neutron: | |
status: | New → Confirmed |
Changed in neutron: | |
milestone: | none → juno-3 |
Changed in neutron: | |
status: | Fix Committed → Fix Released |
Changed in neutron: | |
milestone: | juno-3 → 2014.2 |
What kind of operations break if "update_ network: router: external" : "rule:admin_only" is added?