neutron

Security Group filtering hides rules from user

Bug #1824248 reported by Robin Cernin
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned
neutron
Fix Released
Undecided
Unassigned

Bug Description

Manage Rules part of the GUI hides the rules currently visible in the Launch Instance modal window.

It allows a malicious admin to add backdoor access rules that might be later added to VMs without the knowledge of owner of those VMs.

When sending GET request as below, it responds only with the rules that are created by user and this happens when using Manage Rules part of the GUI: <WSGIRequest: GET '/project/security_groups/3a833936-f485-4a37-bb5b-d4694c7e18eb/'>

On the other hand when using GET request as below, it responds with all SG and it includes all rules, and there is no filtering and this is used in Launch Instance modal window: <WSGIRequest: GET '/api/network/securitygroups/'>

Here is example of rules display in Manage Rules part of GUI:

> /opt/stack/horizon/openstack_dashboard/dashboards/project/security_groups/views.py(50)_get_data()
-> return api.neutron.security_group_get(self.request, sg_id)
(Pdb) l
 45 @memoized.memoized_method
 46 def _get_data(self):
 47 sg_id = filters.get_int_or_uuid(self.kwargs['security_group_id'])
 48 try:
 49 from remote_pdb import RemotePdb; RemotePdb('127.0.0.1', 444).set_trace()
 50 -> return api.neutron.security_group_get(self.request, sg_id)
 51 except Exception:
 52 redirect = reverse('horizon:project:security_groups:index')
 53 exceptions.handle(self.request,
 54 _('Unable to retrieve security group.'),
 55 redirect=redirect)
(Pdb) p api.neutron.security_group_get(self.request, sg_id)
<SecurityGroup: {'description': 'Default security group', 'tags': [], 'tenant_id': '4e6e476afd784a92b295f139c429d596', 'created_at': '2019-03-27T00:40:38Z', 'updated_at': '2019-04-09T06:44:45Z', 'security_group_rules': [{'direction': 'ingress', 'protocol': None, 'description': None, 'tags': [], 'port_range_max': None, 'updated_at': '2019-03-27T00:40:38Z', 'revision_number': 0, 'id': '14088bd6-79f7-4e42-b3fb-566a8ec988d8', 'remote_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'remote_ip_prefix': None, 'created_at': '2019-03-27T00:40:38Z', 'security_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'tenant_id': '4e6e476afd784a92b295f139c429d596', 'port_range_min': None, 'ethertype': 'IPv4', 'project_id': '4e6e476afd784a92b295f139c429d596'}, {'direction': 'egress', 'protocol': None, 'description': None, 'tags': [], 'port_range_max': None, 'updated_at': '2019-03-27T00:40:39Z', 'revision_number': 0, 'id': '9c246f89-5d05-4ad7-b350-786bbe1813f0', 'remote_group_id': None, 'remote_ip_prefix': '::/0', 'created_at': '2019-03-27T00:40:39Z', 'security_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'tenant_id': '4e6e476afd784a92b295f139c429d596', 'port_range_min': None, 'ethertype': 'IPv6', 'project_id': '4e6e476afd784a92b295f139c429d596'}, {'direction': 'egress', 'protocol': None, 'description': None, 'tags': [], 'port_range_max': None, 'updated_at': '2019-03-27T00:40:39Z', 'revision_number': 0, 'id': 'c7df68c0-05c3-48d9-ac1d-671b9618a7d9', 'remote_group_id': None, 'remote_ip_prefix': '0.0.0.0/0', 'created_at': '2019-03-27T00:40:39Z', 'security_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'tenant_id': '4e6e476afd784a92b295f139c429d596', 'port_range_min': None, 'ethertype': 'IPv4', 'project_id': '4e6e476afd784a92b295f139c429d596'}, {'direction': 'ingress', 'protocol': None, 'description': None, 'tags': [], 'port_range_max': None, 'updated_at': '2019-03-27T00:40:39Z', 'revision_number': 0, 'id': 'ebf4e6f1-0a62-40c0-9655-328aa2697348', 'remote_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'remote_ip_prefix': None, 'created_at': '2019-03-27T00:40:39Z', 'security_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'tenant_id': '4e6e476afd784a92b295f139c429d596', 'port_range_min': None, 'ethertype': 'IPv6', 'project_id': '4e6e476afd784a92b295f139c429d596'}], 'revision_number': 3, 'project_id': '4e6e476afd784a92b295f139c429d596', 'id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'name': 'default', 'rules': [<SecurityGroupRule: {'id': '14088bd6-79f7-4e42-b3fb-566a8ec988d8', 'parent_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'direction': 'ingress', 'ethertype': 'IPv4', 'ip_protocol': None, 'from_port': None, 'to_port': None, 'description': None, 'ip_range': {}, 'group': {'name': 'default'}}>, <SecurityGroupRule: {'id': '9c246f89-5d05-4ad7-b350-786bbe1813f0', 'parent_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'direction': 'egress', 'ethertype': 'IPv6', 'ip_protocol': None, 'from_port': None, 'to_port': None, 'description': None, 'ip_range': {'cidr': '::/0'}, 'group': {}}>, <SecurityGroupRule: {'id': 'c7df68c0-05c3-48d9-ac1d-671b9618a7d9', 'parent_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'direction': 'egress', 'ethertype': 'IPv4', 'ip_protocol': None, 'from_port': None, 'to_port': None, 'description': None, 'ip_range': {'cidr': '0.0.0.0/0'}, 'group': {}}>, <SecurityGroupRule: {'id': 'ebf4e6f1-0a62-40c0-9655-328aa2697348', 'parent_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'direction': 'ingress', 'ethertype': 'IPv6', 'ip_protocol': None, 'from_port': None, 'to_port': None, 'description': None, 'ip_range': {}, 'group': {'name': 'default'}}>]}>
(Pdb)

(Pdb) p self.request
<WSGIRequest: GET '/project/security_groups/3a833936-f485-4a37-bb5b-d4694c7e18eb/'>

As you might have noticed there are no ports access 44 and 22 (SSH)

And from the Launch Instance Modal Window, as well as CLI we can see that there are two more rules that are invisible for user, port 44 and 22 (SSH) as displayed below:

> /opt/stack/horizon/openstack_dashboard/api/rest/network.py(47)get()
-> return {'items': [sg.to_dict() for sg in security_groups]}
(Pdb) l
 42 """
 43
 44 security_groups = api.neutron.security_group_list(request)
 45 from remote_pdb import RemotePdb; RemotePdb('127.0.0.1', 444).set_trace()
 46
 47 -> return {'items': [sg.to_dict() for sg in security_groups]}
 48
 49
 50 @urls.register
 51 class FloatingIP(generic.View):
 52 """API for a single floating IP address."""
(Pdb) p security_groups
[<SecurityGroup: {'description': 'Default security group', 'tags': [], 'tenant_id': '4e6e476afd784a92b295f139c429d596', 'created_at': '2019-03-27T00:40:38Z', 'updated_at': '2019-04-09T06:44:45Z', 'security_group_rules': [{'direction': 'ingress', 'protocol': None, 'description': None, 'tags': [], 'port_range_max': None, 'updated_at': '2019-03-27T00:40:38Z', 'revision_number': 0, 'id': '14088bd6-79f7-4e42-b3fb-566a8ec988d8', 'remote_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'remote_ip_prefix': None, 'created_at': '2019-03-27T00:40:38Z', 'security_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'tenant_id': '4e6e476afd784a92b295f139c429d596', 'port_range_min': None, 'ethertype': 'IPv4', 'project_id': '4e6e476afd784a92b295f139c429d596'}, {'direction': 'ingress', 'protocol': 'tcp', 'description': '', 'tags': [], 'port_range_max': 22, 'updated_at': '2019-04-09T03:30:43Z', 'revision_number': 0, 'id': '2a2e4a88-c837-40b9-a6ef-dd044d2edfe1', 'remote_group_id': None, 'remote_ip_prefix': '0.0.0.0/0', 'created_at': '2019-04-09T03:30:43Z', 'security_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'tenant_id': '41fb025277044aabab7537a70616d575', 'port_range_min': 22, 'ethertype': 'IPv4', 'project_id': '41fb025277044aabab7537a70616d575'}, {'direction': 'egress', 'protocol': None, 'description': None, 'tags': [], 'port_range_max': None, 'updated_at': '2019-03-27T00:40:39Z', 'revision_number': 0, 'id': '9c246f89-5d05-4ad7-b350-786bbe1813f0', 'remote_group_id': None, 'remote_ip_prefix': '::/0', 'created_at': '2019-03-27T00:40:39Z', 'security_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'tenant_id': '4e6e476afd784a92b295f139c429d596', 'port_range_min': None, 'ethertype': 'IPv6', 'project_id': '4e6e476afd784a92b295f139c429d596'}, {'direction': 'egress', 'protocol': None, 'description': None, 'tags': [], 'port_range_max': None, 'updated_at': '2019-03-27T00:40:39Z', 'revision_number': 0, 'id': 'c7df68c0-05c3-48d9-ac1d-671b9618a7d9', 'remote_group_id': None, 'remote_ip_prefix': '0.0.0.0/0', 'created_at': '2019-03-27T00:40:39Z', 'security_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'tenant_id': '4e6e476afd784a92b295f139c429d596', 'port_range_min': None, 'ethertype': 'IPv4', 'project_id': '4e6e476afd784a92b295f139c429d596'}, {'direction': 'ingress', 'protocol': 'tcp', 'description': '', 'tags': [], 'port_range_max': 44, 'updated_at': '2019-04-09T06:44:45Z', 'revision_number': 0, 'id': 'db350a38-26c4-4e9c-ae8d-25cc2c5d2025', 'remote_group_id': None, 'remote_ip_prefix': '0.0.0.0/0', 'created_at': '2019-04-09T06:44:45Z', 'security_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'tenant_id': '41fb025277044aabab7537a70616d575', 'port_range_min': 44, 'ethertype': 'IPv4', 'project_id': '41fb025277044aabab7537a70616d575'}, {'direction': 'ingress', 'protocol': None, 'description': None, 'tags': [], 'port_range_max': None, 'updated_at': '2019-03-27T00:40:39Z', 'revision_number': 0, 'id': 'ebf4e6f1-0a62-40c0-9655-328aa2697348', 'remote_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'remote_ip_prefix': None, 'created_at': '2019-03-27T00:40:39Z', 'security_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'tenant_id': '4e6e476afd784a92b295f139c429d596', 'port_range_min': None, 'ethertype': 'IPv6', 'project_id': '4e6e476afd784a92b295f139c429d596'}], 'revision_number': 3, 'project_id': '4e6e476afd784a92b295f139c429d596', 'id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'name': 'default', 'rules': [<SecurityGroupRule: {'id': '14088bd6-79f7-4e42-b3fb-566a8ec988d8', 'parent_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'direction': 'ingress', 'ethertype': 'IPv4', 'ip_protocol': None, 'from_port': None, 'to_port': None, 'description': None, 'ip_range': {}, 'group': {'name': 'default'}}>, <SecurityGroupRule: {'id': '2a2e4a88-c837-40b9-a6ef-dd044d2edfe1', 'parent_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'direction': 'ingress', 'ethertype': 'IPv4', 'ip_protocol': 'tcp', 'from_port': 22, 'to_port': 22, 'description': '', 'ip_range': {'cidr': '0.0.0.0/0'}, 'group': {}}>, <SecurityGroupRule: {'id': '9c246f89-5d05-4ad7-b350-786bbe1813f0', 'parent_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'direction': 'egress', 'ethertype': 'IPv6', 'ip_protocol': None, 'from_port': None, 'to_port': None, 'description': None, 'ip_range': {'cidr': '::/0'}, 'group': {}}>, <SecurityGroupRule: {'id': 'c7df68c0-05c3-48d9-ac1d-671b9618a7d9', 'parent_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'direction': 'egress', 'ethertype': 'IPv4', 'ip_protocol': None, 'from_port': None, 'to_port': None, 'description': None, 'ip_range': {'cidr': '0.0.0.0/0'}, 'group': {}}>, <SecurityGroupRule: {'id': 'db350a38-26c4-4e9c-ae8d-25cc2c5d2025', 'parent_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'direction': 'ingress', 'ethertype': 'IPv4', 'ip_protocol': 'tcp', 'from_port': 44, 'to_port': 44, 'description': '', 'ip_range': {'cidr': '0.0.0.0/0'}, 'group': {}}>, <SecurityGroupRule: {'id': 'ebf4e6f1-0a62-40c0-9655-328aa2697348', 'parent_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'direction': 'ingress', 'ethertype': 'IPv6', 'ip_protocol': None, 'from_port': None, 'to_port': None, 'description': None, 'ip_range': {}, 'group': {'name': 'default'}}>]}>]
(Pdb)

(Pdb) p request
<WSGIRequest: GET '/api/network/securitygroups/'>

Thank you,
Robin

See original description
Revision history for this message
Gage Hugo (gagehugo) wrote :

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

description: updated
Changed in ossa:
status: New → Incomplete
Revision history for this message
Robin Cernin (rcernin) wrote :

There is easy reproducer:

1. Source the admin credentials

2. Add a security group rule to someone else project 'default' group

3. Login into Horizon as the user who owns that modified security group

4. Navigate to Network -> Security Groups -> Manage Rules for 'default' group

5. The rules are not visible as the API doesn't return see Bug description

It allows a malicious admin to add backdoor access rules that might be later added to VMs without the knowledge of owner of those VMs.

Revision history for this message
Akihiro Motoki (amotoki) wrote :

This is not an issue specific to horizon. This is the behavior of neutron. This is an operation example: http://paste.openstack.org/show/749157/

Question to the bug author: Is it specific to horizon?

Revision history for this message
Akihiro Motoki (amotoki) wrote :

In OpenStack deployments, admin role has a lot of power and this is not specific to this case reported here.
I think this is the security model we adopt now.

On the other hand, neutron needs to allow operators to configure a policy for create_security_group_rule. If it does not work, this is another issue and we (as my neutron team hat) should fix it. I will check the current behavior.

Revision history for this message
Akihiro Motoki (amotoki) wrote :

I added 'neutron' as affected projects based on the above analysis.

Revision history for this message
Robin Cernin (rcernin) wrote :

From Security perspective we should be transparent. I don't have much voice here but I would vote for exposing all of the rules in the Manage Rules part of the GUI rather hiding some rules from the user.

Revision history for this message
Robin Cernin (rcernin) wrote :

> Question to the bug author: Is it specific to horizon?

This is neutron related.

Revision history for this message
Akihiro Motoki (amotoki) wrote :

Horizon itself applies no filtering on API responses from neutron, so there is nothing to do in the horizon side and this needs to be discussed as neutron API behavior. It is not specific to GUI. It is same for CLI and API. As horizon, this is related to horizon but there is no room that horizon can do. All need to be discussed as neutron perspective.

Robin Cernin (rcernin)
no longer affects: horizon
Revision history for this message
Jeremy Stanley (fungi) wrote :

In determining whether we should lift the embargo on this discussion, it would be useful to know if there are already plenty of other ways for an admin to backdoor network access controls besides the one specifically raised in this report.

Revision history for this message
Brian Haley (brian-haley) wrote :

I guess I would agree with what Robin said - we should be transparent and at least show all the rules in the security group, even if the user can't update/delete some of them.

Regarding other ways to backdoor into an instance, or at least possibly get network access - in a related way I suppose it would be similar if an admin created a security group with a rule and added it to the instance. I'm guessing that SG wouldn't be visible either, but it's rule would be applied.

Revision history for this message
Jeremy Stanley (fungi) wrote :

In that case, if it's already possible for an admin to create security groups which apply to an instance but are invisible to non-admins, and that is seen as a feature, then the ability for an admin to create a rule a non-admin can't see in a security group they normally can see doesn't seem like an added risk.

Am I understanding your comment correctly, Brian?

Revision history for this message
Brian Haley (brian-haley) wrote :

Jeremy - I wouldn't call it a feature, just a (possible) other way to have a security group rule apply to an instance without the owner's knowledge. I just wanted to raise it to whoever fixes the rules to make sure they take one step up to the group as well. I guess the assumption has always been you trust your admin to some point to not do such things.

Revision history for this message
Jeremy Stanley (fungi) wrote :

And this also assumes the admin in question lacks SSH access to the hypervisor host, control of the software deployed, or any of a myriad of other ways to have a similar influence over network filtering policy. Unfortunately I don't know enough about how typical of a scenario that is to be able to gauge whether we can safely continue the discussion and any related patch development in public. Hopefully someone who is subscribed to this bug has more operational insight than I do and can make a guess.

Revision history for this message
Slawek Kaplonski (slaweq) wrote :

I just created what Brian said. And for security groups attached for port it works differently. Even if group is owned by other tenant than project and I was able to see all sec groups used by port. See http://paste.openstack.org/show/749325/

So IMO we should fix it in neutron and display rules assigned to security group, no matter to which project it belongs.

Revision history for this message
Brian Haley (brian-haley) wrote :

Slawek - thanks for testing that out, but I did notice something in the paste. Although the tenant could see the security group ID, it couldn't list the rules associated with it, so there is still the possibility of a hidden rule allowing port access.

Revision history for this message
Slawek Kaplonski (slaweq) wrote :

@Brian: yes, that is correct. But still user can at least see that admin attached SOME additional security group(s) to the port. If admin will attach additional rules to user's SG than user will not be aware of it at all.

Revision history for this message
Robin Cernin (rcernin) wrote :

@slaweq: There is a way that user can get aware of it, if you open modal window of "Launch Instance" The SGs/rules there are unfiltered.

Revision history for this message
Slawek Kaplonski (slaweq) wrote :

@Robin: I didn't know that. Is Horizon getting them as an admin maybe in this modal window? Or how it is different than in other places?
I think I was checking it with CLI and I didn't saw such rules but I will have to confirm that once again.

Revision history for this message
Robin Cernin (rcernin) wrote :

@Slaweq I checked and it seems different API call:

<WSGIRequest: GET '/project/security_groups/3a833936-f485-4a37-bb5b-d4694c7e18eb/'>

VS

<WSGIRequest: GET '/api/network/securitygroups/'>

The last one is used in modal window and it does not have any filtering. Shows all rules.

Revision history for this message
Jeremy Stanley (fungi) wrote :

So admin-added rules appear in the the Launch Instance modal, just not the normal Manage Security Groups view? If so, then coupling this with the fact that it relies on a malicious service admin to actually pull off any attack of this sort, I think we should be able to continue the discussion in public. I also lean toward categorizing this as a security hardening opportunity rather than a vulnerability in need of an advisory as it's at best only partly capable of hiding any "backdoor" network access rules.

Revision history for this message
Slawek Kaplonski (slaweq) wrote :

@Robin: thx for info.
I know that "GET /v2.0/security-groups/79d6ff90-598c-425a-b0b9-bfaa370dcbc9" is call to neutron API for sure and this one don't shows rules which not belongs to user's tenant.
But I have no idea what is GET /api/network/securitygroups - is it some call to Nova's api maybe, or is it something "internal" for Horizon?

@Jeremy: based on what I wrote above, I'm not sure that it isn't security issue from Neutron point of view. I don't know the way how user would be able to see such "extra" rules created by admin for his SG.
But I also don't think that this should still be keeped as private bug. It may also be "vulnerable" if admin user want's it. And if someone is admin already than probably he can do much more than only add some "hidden" security group rule.

Revision history for this message
Robin Cernin (rcernin) wrote :

@Slaweq:
>I don't know the way how user would be able to see such "extra" rules created by admin for his SG.

Try adding rule as admin to demo, then login as demo and go to Compute -> Launch Instance -> it opens a modal window, switch to Security Groups -> Expand default security group and you should see the rules there created by admin.

Revision history for this message
Slawek Kaplonski (slaweq) wrote :

@Robin: Yes, I understand how it can be checked via horizon. I'm now wondering what API calls Horizon is doing underneath that it has different results. And I don't know what is exactly "GET /api/network/securitygroups" call.
Maybe Akihiro or Brina will know it?

Revision history for this message
Brian Haley (brian-haley) wrote :

I don't know about the GET, but looking at the horizon code it just uses the neutronclient library to make a list_security_groups() call. It doesn't seem to be using the admin role either.

Revision history for this message
Jeremy Stanley (fungi) wrote :

Does anyone object to continuing this discussion in public? Based on recent comments it seems that while there is still some confusion over which API calls Horizon is relying on, there are ways for a normal user to find these rules in the UI. Also, I doubt "malicious admin" is something we can reasonably expect to protect users against in the first place.

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

+1 to switching this to public based on above comments.

Revision history for this message
Matthias Runge (mrunge) wrote :

In my understanding, there should be nothing exposable by horizon, which was not already known to the user. Showing data which could be accessed by the user via other ways (and still using the same credentials) is not a security breach in my view.

Revision history for this message
Jeremy Stanley (fungi) wrote :

Matthias: The concern raised by this report is actually the opposite... that it's possible for an admin to "hide" some nefarious security group rules from normal users (though it turns out that's only partly effective if the users know which modal to look in).

Revision history for this message
Slawek Kaplonski (slaweq) wrote :

I also think that this can be switched to be public.
@Matthias, so do You think that user (owner of security group) shouldn't see any rule which belongs to this group but is created by different user (admin)?
IMO user should be able to see such rules but shouldn't be able to modify or delete them.

Revision history for this message
Jeremy Stanley (fungi) wrote :

Seems there's support for switching this to public and no real disagreement with my suggestion a month ago to treat this as a security hardening opportunity rather than a vulnerability, so I'll triage it publicly as such now and we can continue to debate/fix without any further embargo.

Treating as a class D report per https://security.openstack.org/vmt-process.html#incident-report-taxonomy .

description: updated
information type: Private Security → Public
Changed in ossa:
status: Incomplete → Won't Fix
tags: added: security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/660174

Changed in neutron:
assignee: nobody → Slawek Kaplonski (slaweq)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron-tempest-plugin (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/660175

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/661281

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.opendev.org/661283

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.opendev.org/661284

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/660174
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=1920a37a94b7a9589dcf83f6ff0765068560dbf8
Submitter: Zuul
Branch: master

commit 1920a37a94b7a9589dcf83f6ff0765068560dbf8
Author: Slawek Kaplonski <email address hidden>
Date: Mon May 20 18:47:18 2019 +0200

    Show all SG rules belong to SG in group's details

    If security group contains rule(s) which were created by different
    user (admin), owner of this security group should see such rules
    even if those rules don't belong to him.

    This patch changes to use admin_context to get security group rules
    in get_security_group() method to achieve that.

    Test to cover such case is added in neutron-tempest-plugin repo.

    Change-Id: I890c81bb6eabc5caa620ed4fcc4dc88ebfa6e1b0
    Closes-Bug: #1824248

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/stein)

Reviewed: https://review.opendev.org/661281
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=acd081c298052e678eb2ff74434d1529544088d8
Submitter: Zuul
Branch: stable/stein

commit acd081c298052e678eb2ff74434d1529544088d8
Author: Slawek Kaplonski <email address hidden>
Date: Mon May 20 18:47:18 2019 +0200

    Show all SG rules belong to SG in group's details

    If security group contains rule(s) which were created by different
    user (admin), owner of this security group should see such rules
    even if those rules don't belong to him.

    This patch changes to use admin_context to get security group rules
    in get_security_group() method to achieve that.

    Test to cover such case is added in neutron-tempest-plugin repo.

    Change-Id: I890c81bb6eabc5caa620ed4fcc4dc88ebfa6e1b0
    Closes-Bug: #1824248
    (cherry picked from commit 1920a37a94b7a9589dcf83f6ff0765068560dbf8)

tags: added: in-stable-stein
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/rocky)

Reviewed: https://review.opendev.org/661283
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=252d80058cacc797fbfb970ad42031efe301b0e2
Submitter: Zuul
Branch: stable/rocky

commit 252d80058cacc797fbfb970ad42031efe301b0e2
Author: Slawek Kaplonski <email address hidden>
Date: Mon May 20 18:47:18 2019 +0200

    Show all SG rules belong to SG in group's details

    If security group contains rule(s) which were created by different
    user (admin), owner of this security group should see such rules
    even if those rules don't belong to him.

    This patch changes to use admin_context to get security group rules
    in get_security_group() method to achieve that.

    Test to cover such case is added in neutron-tempest-plugin repo.

    Conflicts:
        neutron/db/securitygroups_db.py

    Change-Id: I890c81bb6eabc5caa620ed4fcc4dc88ebfa6e1b0
    Closes-Bug: #1824248
    (cherry picked from commit 1920a37a94b7a9589dcf83f6ff0765068560dbf8)

tags: added: in-stable-rocky
tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/queens)

Reviewed: https://review.opendev.org/661284
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=e02b66a858b552783d442b52e08f296c849951db
Submitter: Zuul
Branch: stable/queens

commit e02b66a858b552783d442b52e08f296c849951db
Author: Slawek Kaplonski <email address hidden>
Date: Mon May 20 18:47:18 2019 +0200

    Show all SG rules belong to SG in group's details

    If security group contains rule(s) which were created by different
    user (admin), owner of this security group should see such rules
    even if those rules don't belong to him.

    This patch changes to use admin_context to get security group rules
    in get_security_group() method to achieve that.

    Test to cover such case is added in neutron-tempest-plugin repo.

    Conflicts:
        neutron/db/securitygroups_db.py

    Change-Id: I890c81bb6eabc5caa620ed4fcc4dc88ebfa6e1b0
    Closes-Bug: #1824248
    (cherry picked from commit 1920a37a94b7a9589dcf83f6ff0765068560dbf8)
    (cherry picked from commit 252d80058cacc797fbfb970ad42031efe301b0e2)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron-tempest-plugin (master)

Reviewed: https://review.opendev.org/660175
Committed: https://git.openstack.org/cgit/openstack/neutron-tempest-plugin/commit/?id=87c3f941a3dd168d64226a4e238545ed69e05383
Submitter: Zuul
Branch: master

commit 87c3f941a3dd168d64226a4e238545ed69e05383
Author: Slawek Kaplonski <email address hidden>
Date: Mon May 20 18:50:53 2019 +0200

    Add API test case to check if SG displays all rules

    This patch adds new API test which checks if owner of security group
    can see rules which belongs to his security group even if rule was
    created and belongs to other user (admin).

    Patch for master branch:
    Depends-On: https://review.opendev.org/660174

    Backport to stable/Stein:
    Depends-On: https://review.opendev.org/661281

    Backport to stable/Rocky:
    Depends-On: https://review.opendev.org/661283

    Backport to stable/Queens:
    Depends-On: https://review.opendev.org/661284

    Change-Id: I728cd8252d27e27e91bd95e4734d9db470dee35a
    Related-Bug: #1824248

Bernard Cafarelli (bcafarel)
tags: added: neutron-proactive-backport-potential
Revision history for this message
ZhangChi (chzhang8) wrote :

https://review.opendev.org/#/c/660174/
This solution patch can result in another bug as follows:
https://bugs.launchpad.net/tricircle/+bug/1831848

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 13.0.4

This issue was fixed in the openstack/neutron 13.0.4 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 14.0.2

This issue was fixed in the openstack/neutron 14.0.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 12.1.0

This issue was fixed in the openstack/neutron 12.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/681910

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron-tempest-plugin (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/681912

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 15.0.0.0b1

This issue was fixed in the openstack/neutron 15.0.0.0b1 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/688715

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/688716

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.opendev.org/688717

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.opendev.org/688719

Revision history for this message
Slawek Kaplonski (slaweq) wrote : auto-abandon-script

This bug has had a related patch abandoned and has been automatically un-assigned due to inactivity. Please re-assign yourself if you are continuing work or adjust the state as appropriate if it is no longer valid.

Changed in neutron:
assignee: Slawek Kaplonski (slaweq) → nobody
tags: added: timeout-abandon
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (stable/rocky)

Change abandoned by Slawek Kaplonski (<email address hidden>) on branch: stable/rocky
Review: https://review.opendev.org/688717
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Revision history for this message
Slawek Kaplonski (slaweq) wrote : auto-abandon-script

This bug has had a related patch abandoned and has been automatically un-assigned due to inactivity. Please re-assign yourself if you are continuing work or adjust the state as appropriate if it is no longer valid.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (stable/queens)

Change abandoned by Slawek Kaplonski (<email address hidden>) on branch: stable/queens
Review: https://review.opendev.org/688719
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron-tempest-plugin (master)

Change abandoned by Slawek Kaplonski (<email address hidden>) on branch: master
Review: https://review.opendev.org/681912
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/681910
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=b898d2e3c08b50e576ee849fbe8614c66f360c62
Submitter: Zuul
Branch: master

commit b898d2e3c08b50e576ee849fbe8614c66f360c62
Author: Slawek Kaplonski <email address hidden>
Date: Thu Sep 12 22:02:52 2019 +0200

    List SG rules which belongs to tenant's SG

    In case when user's security group contains rules created e.g.
    by admin, and such rules has got admin's tenant as tenant_id,
    owner of security group should be able to see those rules.
    Some time ago this was addressed for request:

    GET /v2.0/security-groups/<sec_group_id>

    But it is also required to behave in same way for

    GET /v2.0/security-group-rules

    So this patch fixes this behaviour for listing of security
    group rules.
    To achieve that this patch also adds new policy rule:
    ADMIN_OWNER_OR_SG_OWNER which is similar to already existing
    ADMIN_OWNER_OR_NETWORK_OWNER used e.g. for listing or creating
    ports.

    Change-Id: I09114712582d2d38d14cf1683b87a8ce3a8e8c3c
    Closes-Bug: #1824248

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/train)

Reviewed: https://review.opendev.org/688715
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=a6b55d760bee4ea228a466cd45193f77eae53978
Submitter: Zuul
Branch: stable/train

commit a6b55d760bee4ea228a466cd45193f77eae53978
Author: Slawek Kaplonski <email address hidden>
Date: Thu Sep 12 22:02:52 2019 +0200

    List SG rules which belongs to tenant's SG

    In case when user's security group contains rules created e.g.
    by admin, and such rules has got admin's tenant as tenant_id,
    owner of security group should be able to see those rules.
    Some time ago this was addressed for request:

    GET /v2.0/security-groups/<sec_group_id>

    But it is also required to behave in same way for

    GET /v2.0/security-group-rules

    So this patch fixes this behaviour for listing of security
    group rules.
    To achieve that this patch also adds new policy rule:
    ADMIN_OWNER_OR_SG_OWNER which is similar to already existing
    ADMIN_OWNER_OR_NETWORK_OWNER used e.g. for listing or creating
    ports.

    Change-Id: I09114712582d2d38d14cf1683b87a8ce3a8e8c3c
    Closes-Bug: #1824248

tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/stein)

Reviewed: https://review.opendev.org/688716
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=47890e9b85826951387fedb57ab474bd20ab1c3b
Submitter: Zuul
Branch: stable/stein

commit 47890e9b85826951387fedb57ab474bd20ab1c3b
Author: Slawek Kaplonski <email address hidden>
Date: Thu Sep 12 22:02:52 2019 +0200

    List SG rules which belongs to tenant's SG

    In case when user's security group contains rules created e.g.
    by admin, and such rules has got admin's tenant as tenant_id,
    owner of security group should be able to see those rules.
    Some time ago this was addressed for request:

    GET /v2.0/security-groups/<sec_group_id>

    But it is also required to behave in same way for

    GET /v2.0/security-group-rules

    So this patch fixes this behaviour for listing of security
    group rules.
    To achieve that this patch also adds new policy rule:
    ADMIN_OWNER_OR_SG_OWNER which is similar to already existing
    ADMIN_OWNER_OR_NETWORK_OWNER used e.g. for listing or creating
    ports.

    Change-Id: I09114712582d2d38d14cf1683b87a8ce3a8e8c3c
    Closes-Bug: #1824248
    (cherry picked from commit b898d2e3c08b50e576ee849fbe8614c66f360c62)

Revision history for this message
Sam Morrison (sorrison) wrote :

Just a heads up that this causes a huge performance regression see lp:1863201

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/rocky)

Reviewed: https://review.opendev.org/688717
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=993a344559f293a225fe5dd59525e580249c652f
Submitter: Zuul
Branch: stable/rocky

commit 993a344559f293a225fe5dd59525e580249c652f
Author: Slawek Kaplonski <email address hidden>
Date: Thu Sep 12 22:02:52 2019 +0200

    List SG rules which belongs to tenant's SG

    In case when user's security group contains rules created e.g.
    by admin, and such rules has got admin's tenant as tenant_id,
    owner of security group should be able to see those rules.
    Some time ago this was addressed for request:

    GET /v2.0/security-groups/<sec_group_id>

    But it is also required to behave in same way for

    GET /v2.0/security-group-rules

    So this patch fixes this behaviour for listing of security
    group rules.
    To achieve that this patch also adds new policy rule:
    ADMIN_OWNER_OR_SG_OWNER which is similar to already existing
    ADMIN_OWNER_OR_NETWORK_OWNER used e.g. for listing or creating
    ports.

    Conflicts:
        neutron/conf/policies/security_group.py

    Change-Id: I09114712582d2d38d14cf1683b87a8ce3a8e8c3c
    Closes-Bug: #1824248
    (cherry picked from commit b898d2e3c08b50e576ee849fbe8614c66f360c62)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 15.0.2

This issue was fixed in the openstack/neutron 15.0.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 14.1.0

This issue was fixed in the openstack/neutron 14.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/queens)

Reviewed: https://review.opendev.org/688719
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=e00ebee05318edbd18f49df0fd34697d0e1417ed
Submitter: Zuul
Branch: stable/queens

commit e00ebee05318edbd18f49df0fd34697d0e1417ed
Author: Slawek Kaplonski <email address hidden>
Date: Thu Sep 12 22:02:52 2019 +0200

    List SG rules which belongs to tenant's SG

    In case when user's security group contains rules created e.g.
    by admin, and such rules has got admin's tenant as tenant_id,
    owner of security group should be able to see those rules.
    Some time ago this was addressed for request:

    GET /v2.0/security-groups/<sec_group_id>

    But it is also required to behave in same way for

    GET /v2.0/security-group-rules

    So this patch fixes this behaviour for listing of security
    group rules.
    To achieve that this patch also adds new policy rule:
    ADMIN_OWNER_OR_SG_OWNER which is similar to already existing
    ADMIN_OWNER_OR_NETWORK_OWNER used e.g. for listing or creating
    ports.

    Conflicts:
        etc/policy.json
        neutron/policy.py

    Change-Id: I09114712582d2d38d14cf1683b87a8ce3a8e8c3c
    Closes-Bug: #1824248
    (cherry picked from commit b898d2e3c08b50e576ee849fbe8614c66f360c62)
    (cherry picked from commit 36d1086569627af5dafd734333a7ebc4bc060d77)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 16.0.0.0b1

This issue was fixed in the openstack/neutron 16.0.0.0b1 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron-tempest-plugin (master)

Reviewed: https://review.opendev.org/681912
Committed: https://git.openstack.org/cgit/openstack/neutron-tempest-plugin/commit/?id=31c0006ded28255e2502d2975648f1fe603ec127
Submitter: Zuul
Branch: master

commit 31c0006ded28255e2502d2975648f1fe603ec127
Author: Slawek Kaplonski <email address hidden>
Date: Thu Sep 12 22:11:35 2019 +0200

    Add list security group rules API test

    This test checks that regular user can see all SG rules which belongs
    to his tenant OR belongs to security group owned by his tenant.

    This test also ensures that SG rules from different tenants and Security
    Groups are not visible for regular user.

    Fix for master branch
    Depends-On: https://review.opendev.org/681910

    Fix for stable/train
    Depends-On: https://review.opendev.org/688715

    Fix for stable/stein
    Depends-On: https://review.opendev.org/688716

    Fix for stable/rocky
    Depends-On: https://review.opendev.org/688717

    Fix for stable/queens
    Depends-On: https://review.opendev.org/688719

    Change-Id: Ic2e97ab8162d10e507ef83b9af0840e7311f0587
    Related-Bug: #1824248

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 13.0.7

This issue was fixed in the openstack/neutron 13.0.7 release.

Slawek Kaplonski (slaweq)
tags: removed: neutron-proactive-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron queens-eol

This issue was fixed in the openstack/neutron queens-eol release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.