Security Group Rule Wrong Project Id
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
New
|
Undecided
|
Unassigned |
Bug Description
Hello,
We create a role with `security_admin` name for our security team and we allow to add/delete security rules for projects. But our sec team could not delete some rules. When we investigate the issue, we saw some security group rules are created with wrong project_id. We detected how it can be possible. I write tested scenario;
1. Enter security group page for a project
2. Click `Add Rule` button
3. Then open a new browser tab and switch another project
4. Return to older `Add Rule` page then add new rule
Then when we controlled to security group rule's project id, we saw wrong project_id. So our security_admin role could not delete the rule. We have a 2 question.
1) Is there any buggy issues for wrong sg rule' project_id value when a new browser tab opened with another project.
# List projects with ids
(openstack-client) ➜ ~ openstack project list
+------
| ID | Name |
+------
| f9300721d2ab449
| 42c15a29b6c14e5
+------
# Create sg for `ProjectA` project and see sg's project_id
(openstack-client) ➜ ~ openstack security group show my-sg-test
+------
| Field | Value |
+------
| created_at | 2021-12-
| description | |
| id | 6f223ca4-
| name | my-sg-test |
| project_id | f9300721d2ab449
| revision_number | 1 |
| rules | created_
| | created_
| | created_
| stateful | True |
| tags | [] |
| updated_at | 2021-12-
+------
# Create sg rule like explained scenario. Then check sg rule's project_id
(openstack-client) ➜ ~ openstack security group rule show 395e5fd7-
+------
| Field | Value |
+------
| created_at | 2021-12-
| description | custom rule |
| direction | ingress |
| ether_type | IPv4 |
| id | 395e5fd7-
| name | None |
| port_range_max | None |
| port_range_min | None |
| project_id | 42c15a29b6c14e5
| protocol | None |
| remote_
| remote_group_id | None |
| remote_ip_prefix | 0.0.0.0/0 |
| revision_number | 0 |
| security_group_id | 6f223ca4-
| tags | [] |
| updated_at | 2021-12-
+------
Security group's project_id and security group rule's project_id is not same.
When deleting rule over horizon, we see warning like Error: Unable to delete rule: ALLOW IPv4 from 0.0.0.0/0
When deleting rule over cli, we see these logs;
...
RESP BODY: {"security_
GET call to network for https:/
REQ: curl -g -i -X DELETE https:/
https:/
RESP: [404] content-length: 155 content-type: application/json date: Fri, 31 Dec 2021 08:52:14 GMT x-openstack-
RESP BODY: {"NeutronError": {"type": "SecurityGroupR
DELETE call to network for https:/
clean_up DeleteSecurityG
2) We gave all sg permissions to `security_admin` role but why dont they delete sg rule? Is there any wrong or missing permissions? (We assgined to group with security_admin role in project permissions)
(horizon)
"context_is_admin": "role:admin"
"admin_only": "rule:context_
"security_admin": "role:security_
"admin_
...
"create_
"get_security_
"update_
"delete_
"create_
"get_security_
"delete_
...
Expected result
===============
New role members can delete the sg rule
Actual result
=============
New role members cant delete the sg rule
Environment
===========
OpenStack Victoria Cluster installed via kolla-ansible to Ubuntu 20.04.2 LTS Hosts. (Kernel:
horizon version : 18.6.3.dev29
Networking Type: Neutron with OpenVSwitch |"neutron-