rbac: can't delete other tenant's port on own network if not admin

Bug #1498790 reported by Kevin Benton on 2015-09-23
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
neutron
High
ZongKai LI

Bug Description

It's not possible to delete a port that belongs to another tenant if the caller isn't an admin even if he/she owns the network.

This is supposed to be possible according to the spec. See the last sentence here in this section: http://specs.openstack.org/openstack/neutron-specs/specs/liberty/rbac-networks.html#proposed-change

Changed in neutron:
assignee: nobody → Kevin Benton (kevinbenton)

Fix proposed to branch: master
Review: https://review.openstack.org/226665

Changed in neutron:
status: New → In Progress
Changed in neutron:
importance: Undecided → High
tags: added: api

It'd be nice to show with actual CLI steps what how to repro this bug, you'd get a golden foil wrapped chocolate star.

tags: added: access-control
ZongKai LI (zongkai) wrote :

@Kevin Benton
I've seen you just marked https://bugs.launchpad.net/neutron/+bug/1524357 as duplicated to this one, I'm not sure why you did that.

For general operation, common user should get ports first, then delete ports. I reviewed your patch, I didn't find anything for get_ports/list operation, I don't think you recognized issue for list operation one is precondition for your patch.

I tried your patch just for port deleting, seems not work, getting "resource not found" as result, not sure if anything missing. I also tried my patch work with/without your patch, list operation both work, so it should be separated.

Fix proposed to branch: master
Review: https://review.openstack.org/266877

Changed in neutron:
assignee: Kevin Benton (kevinbenton) → ZongKai LI (lzklibj)

Fix proposed to branch: master
Review: https://review.openstack.org/266900

Change abandoned by ZongKai LI (<email address hidden>) on branch: master
Review: https://review.openstack.org/266877
Reason: Add into https://review.openstack.org/#/c/255285/4

Change abandoned by ZongKai LI (<email address hidden>) on branch: master
Review: https://review.openstack.org/266900
Reason: Add into https://review.openstack.org/#/c/255285/4

neo (524722778-8) on 2016-01-27
Changed in neutron:
status: In Progress → Confirmed
Changed in neutron:
status: Confirmed → In Progress
Changed in neutron:
milestone: none → mitaka-rc1

Change abandoned by Armando Migliaccio (<email address hidden>) on branch: master
Review: https://review.openstack.org/226665
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Reviewed: https://review.openstack.org/255285
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=67abf5f9f0e957150dd3b3b673094845810f9ea1
Submitter: Jenkins
Branch: master

commit 67abf5f9f0e957150dd3b3b673094845810f9ea1
Author: lzklibj <email address hidden>
Date: Wed Dec 9 21:52:05 2015 +0800

    RBAC: Fix port query and deletion for network owner

    Network owner should be able to get all ports and delete ports on
    network as policy allowed. But current code fails to support this.

    Current model query for Port is still based on tenant_id, it forgets
    to check for network owner when context tenant_id is not port owner.

    For port_delete action, policy will generate checking rules for port
    attributes, such as:
        rule:delete_port:binding:vif_details
        rule:delete_port:binding:vif_type
    This doesn't make sense, only single policy rule "rule:delete_port"
    is enough to check.

    This patch fixes this issue.

    Co-Authored-By: Kevin Benton <email address hidden>
    Change-Id: I55328cb43207654b9bb4cfb732923982d020ab0a
    Closes-Bug: #1498790

Changed in neutron:
status: In Progress → Fix Released

This issue was fixed in the openstack/neutron 8.0.0.0rc1 release candidate.

Reviewed: https://review.openstack.org/292744
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=a374e52c4c9b2465b736d34aeac0ca5c92755944
Submitter: Jenkins
Branch: master

commit a374e52c4c9b2465b736d34aeac0ca5c92755944
Author: Kevin Benton <email address hidden>
Date: Mon Mar 14 01:59:37 2016 -0700

    Add API test ensure tenant can't delete other ports

    Change I55328cb43207654b9bb4cfb732923982d020ab0a fixed
    the policy enforcement to ensure that tenants could
    delete ports on networks they didn't own. However, it
    required a change to the policy engine so this test
    adds a patch to ensure that it didn't break the normal
    case that prevents tenants from deleting other tenant's
    ports on networks they don't own.

    Change-Id: I3118ec79c213c4eea4c5ca494e530c33189f6c59
    Related-Bug: #1498790

Reviewed: https://review.openstack.org/316287
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=c6f81881ef1fc0f0dce8f02568747ad216a450a7
Submitter: Jenkins
Branch: stable/liberty

commit c6f81881ef1fc0f0dce8f02568747ad216a450a7
Author: lzklibj <email address hidden>
Date: Wed Dec 9 21:52:05 2015 +0800

    RBAC: Fix port query and deletion for network owner

    Network owner should be able to get all ports and delete ports on
    network as policy allowed. But current code fails to support this.

    Current model query for Port is still based on tenant_id, it forgets
    to check for network owner when context tenant_id is not port owner.

    For port_delete action, policy will generate checking rules for port
    attributes, such as:
        rule:delete_port:binding:vif_details
        rule:delete_port:binding:vif_type
    This doesn't make sense, only single policy rule "rule:delete_port"
    is enough to check.

    This patch fixes this issue.

    Co-Authored-By: Kevin Benton <email address hidden>
    Change-Id: I55328cb43207654b9bb4cfb732923982d020ab0a
    Closes-Bug: #1498790
    (cherry picked from commit 67abf5f9f0e957150dd3b3b673094845810f9ea1)

tags: added: in-stable-liberty

This issue was fixed in the openstack/neutron 7.1.0 release.

Reviewed: https://review.openstack.org/321789
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=48ea90326160fe54a605c621e32873fb2b8ef7bd
Submitter: Jenkins
Branch: stable/liberty

commit 48ea90326160fe54a605c621e32873fb2b8ef7bd
Author: Kevin Benton <email address hidden>
Date: Mon Mar 14 01:59:37 2016 -0700

    Add API test ensure tenant can't delete other ports

    Change I55328cb43207654b9bb4cfb732923982d020ab0a fixed
    the policy enforcement to ensure that tenants could
    delete ports on networks they didn't own. However, it
    required a change to the policy engine so this test
    adds a patch to ensure that it didn't break the normal
    case that prevents tenants from deleting other tenant's
    ports on networks they don't own.

    Change-Id: I3118ec79c213c4eea4c5ca494e530c33189f6c59
    Related-Bug: #1498790
    (cherry picked from commit a374e52c4c9b2465b736d34aeac0ca5c92755944)

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers