security group table doesn't observe Neutron policy settings
Bug #1915308 reported by
Andrew Bogott
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Fix Released
|
Undecided
|
Andrew Bogott | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
The security group panel enables all actions (create/
In the code there's this telling readme:
# TODO(amotoki): [drop-nova-network] Add neutron policy support
In my deployment this is a bit alarming -- users who are intended to be read-only are nonetheless invited to delete things. Of course the Neutron backend /does/ observe the policy so this is ugly but not usually an actual security risk unless people have different back-end and front-end policy files.
I'm flagging as security-related nonetheless for the odd edge case where it poses a risk.
Changed in horizon: | |
assignee: | nobody → Andrew Bogott (andrewbogott) |
description: | updated |
To post a comment you must log in.
Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.