neutron

Unable to show security groups for non-admin users if custom policies using.

Bug #1933242 reported by Vadim Ponomarev on 2021-06-22

This bug affects 4 people

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	High	Akihiro Motoki

Bug Description

Neutron's RBAC system supports security group sharing but it's impossible to use with changed policies. When RBAC for security groups was added [1] field "shared" was not added to the database. As result, we cannot use this flag for policy checks and SG sharing will work only with default [2] policy, and it is impossible to configure the policies like:

"shared_security_groups": "field:security_groups:shared=True",
"get_security_group": "rule:admin or rule:shared_security_groups",

How to reproduce:
1. change policies and add check for 'shared' field as mentioned above;
2. create new SG with admin permissions;
3. share the SG to another project;
4. try to get this SG by ID with project owner permissions;

Such policies work perfectly for other RBAC objects like networks, subnet pools etc.

[1] https://review.opendev.org/c/openstack/neutron/+/635311
[2] https://github.com/openstack/neutron/blob/master/neutron/conf/policies/security_group.py#L66

Tags:

Revision history for this message

Rodolfo Alonso (rodolfo-alonso-hernandez) wrote on 2021-06-23:

Hello:

I think that was replied in IRC by Slawek. The field "shared" can be used with your custom policies, but SGs objects do not have this field.

For security groups you need to use RBAC. In any case, the "shared" field has been dropped from some DB objects and is still waiting to be removed from others [1][2], in favor of RBACs.

Regards.

[1]https://review.opendev.org/c/openstack/neutron/+/709122/13/neutron/db/models/address_scope.py
[2]https://review.opendev.org/c/openstack/neutron/+/710755/11/neutron/db/models_v2.py

Revision history for this message

Akihiro Motoki (amotoki) wrote on 2021-06-23:

I confirmed this when a custom policy is used for "get_security_group".

This also happens when oslo_policy.enforce_new_defaults is set to True (even with the default policy). This does not happen with the current neutron default policy because the deprecated rule for "get_security_group" is ANY, so the policy evaluation succeeds even when the evaluation of the new rule fails as the deprecated rule allows it.

This bug prevents operators from using a customized policy rule with network RBAC feature, so I am marking this as High.

Changed in neutron:
status:	New → Confirmed
importance:	Undecided → High
assignee:	nobody → Akihiro Motoki (amotoki)

Akihiro Motoki (amotoki) on 2021-06-29

tags:	added: access-control
tags:	added: api

Revision history for this message

Vadim Ponomarev (velizarx) wrote on 2021-10-15:

Looks like this problem will be fixed in: https://review.opendev.org/c/openstack/neutron/+/811242
because it also related to the bugs: https://bugs.launchpad.net/neutron/+bug/1942615 and https://bugs.launchpad.net/nova/+bug/1943969

Revision history for this message

Brian Haley (brian-haley) wrote on 2022-11-08:

As https://review.opendev.org/c/openstack/neutron/+/811242 has merged, let's close this bug.

Changed in neutron:
status:	Confirmed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.