Neutron RBAC not working for multiple extensions
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
neutron |
Confirmed
|
Undecided
|
Mykola Yakovliev |
Bug Description
* Description *
Using QA automation as well as manual CLI validation, it appears to me as though many Neutron extensions aren't enforcing RBAC at all. This is because the extensions lack the "enforce_policy": True key/value pair in the extension resource definition code. Example: https:/
This appears to be affecting many Neutron extensions.
* Pre-conditions *
1) Enable neutron-trunk plugin in local.conf by adding: enable_service neutron-trunk
2) Set create_trunk to "rule:admin_only" in /etc/neutron/
3) source ~/devstack/openrc demo demo or even source ~/devstack/openrc admin admin after setting "create_trunk" with the "!" rule.
* Reproduction Steps *
1) Run the following CLI commands:
- openstack network create test-network
- openstack port create --enable --network test-network test-port
- openstack network trunk create --parent-port test-port --enable --project demo test-trunk
* Expected Output *
Expected result: trunk creation fails with a 403 Unauthorized.
* Actual Output *
Observed result: trunk creation succeeds.
* Affected Plugins *
As far as I can tell:
- subnet service type
- subnet segment_id
- trunks
- trunk subports
Possibly many more.
* Outstanding Patches *
Outstanding patches that begin fixing these issues:
- https:/
- https:/
Validation patches that identify some of these issues:
- https:/
- https:/
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.