neutron

neutron service user should not require admin

Bug #1445475 reported by Brant Knudson
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Security Advisory
Incomplete
Undecided
Unassigned
neutron
New
Undecided
Unassigned

Bug Description

The typical config has nova using the 'neutron' user in the 'service' project to do operations against Neutron. The 'neutron' user should not require the 'admin' role on the 'service' project to do all the operations it needs to do against Neutron. Neutron's default policy.json should allow the 'neutron' user (i.e., users with the 'service' role) to do all the operations it needs to do against Neutron, rather than requiring 'admin'.

Nova is allocating networks and creating ports, so these operations need to allow the 'service' role to perform these operations, too.

Revision history for this message
Brant Knudson (blk-u) wrote :

Giving the neutron user the admin role gives it too much authority, and is a potential privilege escalation.

information type: Public → Public Security
Revision history for this message
Jeremy Stanley (fungi) wrote :

You've switched this bug report to indicate an exploitable security vulnerability. Can you describe in greater detail the exploitation scenario you have in mind? What sort of patch to neutron do you expect to correct this defect? Does this vulnerability appear in previous releases of neutron as well, or does it only affect the current master and stable/kilo branches of neutron?

Changed in ossa:
status: New → Incomplete
Revision history for this message
Brant Knudson (blk-u) wrote :

There's no way to exploit this that I know of, so this doesn't have to be a security bug... I'll change it back.

information type: Public Security → Public
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.