Project administrators are allowed to view networks across projects

Bug #1919386 reported by Lance Bragstad on 2021-03-16
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
High
Slawek Kaplonski

Bug Description

The new default policies in neutron help fix tenancy issues where users of one project are not allowed to view, create, modify, or delete resources within another project (enforcing hard tenancy).

With the new policies enabled by default, I'm able to view networks for other projects as an administrator of another project.

╭─ubuntu@neutron-devstack /opt/stack/neutron ‹master›
╰─➤ $ openstack --os-cloud devstack-alt-admin network create alt-network
/usr/lib/python3/dist-packages/secretstorage/dhcrypto.py:15: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
  from cryptography.utils import int_from_bytes
/usr/lib/python3/dist-packages/secretstorage/util.py:19: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
  from cryptography.utils import int_from_bytes
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | UP |
| availability_zone_hints | |
| availability_zones | |
| created_at | 2021-03-16T21:27:28Z |
| description | |
| dns_domain | None |
| id | 84c7464b-3351-4a47-88d1-3b6615967e87 |
| ipv4_address_scope | None |
| ipv6_address_scope | None |
| is_default | False |
| is_vlan_transparent | None |
| mtu | 1450 |
| name | alt-network |
| port_security_enabled | True |
| project_id | 13bde21b76fe4744904785a9a61512b7 |
| provider:network_type | vxlan |
| provider:physical_network | None |
| provider:segmentation_id | 3 |
| qos_policy_id | None |
| revision_number | 1 |
| router:external | Internal |
| segments | None |
| shared | False |
| status | ACTIVE |
| subnets | |
| tags | |
| updated_at | 2021-03-16T21:27:28Z |
+---------------------------+--------------------------------------+
╭─ubuntu@neutron-devstack /opt/stack/neutron ‹master›
╰─➤ $ openstack --os-cloud devstack-admin-admin network show alt-network
/usr/lib/python3/dist-packages/secretstorage/dhcrypto.py:15: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
  from cryptography.utils import int_from_bytes
/usr/lib/python3/dist-packages/secretstorage/util.py:19: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
  from cryptography.utils import int_from_bytes
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | UP |
| availability_zone_hints | |
| availability_zones | |
| created_at | 2021-03-16T21:27:28Z |
| description | |
| dns_domain | None |
| id | 84c7464b-3351-4a47-88d1-3b6615967e87 |
| ipv4_address_scope | None |
| ipv6_address_scope | None |
| is_default | None |
| is_vlan_transparent | None |
| mtu | 1450 |
| name | alt-network |
| port_security_enabled | True |
| project_id | 13bde21b76fe4744904785a9a61512b7 |
| provider:network_type | vxlan |
| provider:physical_network | None |
| provider:segmentation_id | 3 |
| qos_policy_id | None |
| revision_number | 1 |
| router:external | Internal |
| segments | None |
| shared | False |
| status | ACTIVE |
| subnets | |
| tags | |
| updated_at | 2021-03-16T21:27:28Z |
+---------------------------+--------------------------------------+

╭─ubuntu@neutron-devstack /opt/stack/neutron ‹master›
╰─➤ $ cat /etc/openstack/clouds.yaml
clouds:
  devstack-admin-admin:
    auth:
      auth_url: http://192.168.1.20/identity
      password: nomoresecret
      project_domain_id: default
      project_name: admin
      user_domain_id: default
      username: admin
    identity_api_version: '3'
    region_name: RegionOne
    volume_api_version: '3'
  devstack-alt-admin:
    auth:
      auth_url: http://192.168.1.20/identity
      password: nomoresecret
      project_domain_id: default
      project_name: alt_demo
      user_domain_id: default
      username: alt_demo
    identity_api_version: '3'
    region_name: RegionOne
    volume_api_version: '3'

I used the following configuration in neutron.conf:

  [oslo_policy]
  enforce_new_defaults = True
  enforce_scope = True
  policy_file = /etc/neutron/policy.json

As the administrator of a project, I wouldn't expect to have access to networks not directly, or indirectly (public networks), associated to my project.

I think this is only applicable in the lastest neutron branhches (Wallaby M3) since the functionality just merged within the last couple of weeks.

Changed in neutron:
status: New → Confirmed
importance: Undecided → High
milestone: none → wallaby-rc1
Revision history for this message
Slawek Kaplonski (slaweq) wrote :
Changed in neutron:
assignee: nobody → Slawek Kaplonski (slaweq)
Revision history for this message
Slawek Kaplonski (slaweq) wrote :
Changed in neutron:
status: Confirmed → In Progress
Revision history for this message
Lance Bragstad (lbragstad) wrote :

Just to confirm - prior to any of the system-scope or secure RBAC work operators were signified as anyone with the 'admin' role.

Someone would be affected by this if they rolled out this code, enabled it, and started giving people in their deployment 'admin' on projects, which is probably pretty unlikely.

Thanks for the quick patches, Slawek!

Revision history for this message
Slawek Kaplonski (slaweq) wrote :

Fix merged in neutron-lib.

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron-lib 2.10.1

This issue was fixed in the openstack/neutron-lib 2.10.1 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers