Project administrators are allowed to view networks across projects
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
High
|
Slawek Kaplonski |
Bug Description
The new default policies in neutron help fix tenancy issues where users of one project are not allowed to view, create, modify, or delete resources within another project (enforcing hard tenancy).
With the new policies enabled by default, I'm able to view networks for other projects as an administrator of another project.
╭─ubuntu@
╰─➤ $ openstack --os-cloud devstack-alt-admin network create alt-network
/usr/lib/
from cryptography.utils import int_from_bytes
/usr/lib/
from cryptography.utils import int_from_bytes
+------
| Field | Value |
+------
| admin_state_up | UP |
| availability_
| availability_zones | |
| created_at | 2021-03-
| description | |
| dns_domain | None |
| id | 84c7464b-
| ipv4_address_scope | None |
| ipv6_address_scope | None |
| is_default | False |
| is_vlan_transparent | None |
| mtu | 1450 |
| name | alt-network |
| port_security_
| project_id | 13bde21b76fe474
| provider:
| provider:
| provider:
| qos_policy_id | None |
| revision_number | 1 |
| router:external | Internal |
| segments | None |
| shared | False |
| status | ACTIVE |
| subnets | |
| tags | |
| updated_at | 2021-03-
+------
╭─ubuntu@
╰─➤ $ openstack --os-cloud devstack-
/usr/lib/
from cryptography.utils import int_from_bytes
/usr/lib/
from cryptography.utils import int_from_bytes
+------
| Field | Value |
+------
| admin_state_up | UP |
| availability_
| availability_zones | |
| created_at | 2021-03-
| description | |
| dns_domain | None |
| id | 84c7464b-
| ipv4_address_scope | None |
| ipv6_address_scope | None |
| is_default | None |
| is_vlan_transparent | None |
| mtu | 1450 |
| name | alt-network |
| port_security_
| project_id | 13bde21b76fe474
| provider:
| provider:
| provider:
| qos_policy_id | None |
| revision_number | 1 |
| router:external | Internal |
| segments | None |
| shared | False |
| status | ACTIVE |
| subnets | |
| tags | |
| updated_at | 2021-03-
+------
╭─ubuntu@
╰─➤ $ cat /etc/openstack/
clouds:
devstack-
auth:
auth_url: http://
password: nomoresecret
project_
project_name: admin
user_
username: admin
identity_
region_name: RegionOne
volume_
devstack-
auth:
auth_url: http://
password: nomoresecret
project_
project_name: alt_demo
user_
username: alt_demo
identity_
region_name: RegionOne
volume_
I used the following configuration in neutron.conf:
[oslo_policy]
enforce_
enforce_scope = True
policy_file = /etc/neutron/
As the administrator of a project, I wouldn't expect to have access to networks not directly, or indirectly (public networks), associated to my project.
I think this is only applicable in the lastest neutron branhches (Wallaby M3) since the functionality just merged within the last couple of weeks.
Changed in neutron: | |
status: | New → Confirmed |
importance: | Undecided → High |
milestone: | none → wallaby-rc1 |
Proposed fix https:/ /bugs.launchpad .net/neutron/ +bug/1919386