[RFE] Can't protect the "default" security group from regular users
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Wishlist
|
Rodolfo Alonso |
Bug Description
The 'default' security group is applied to all VMs in a tenant. This means that tampering with it from one user can prevent other users' VMs from working (e.g. deleting the "ssh ingress" rule). While you can limit actions on the whole security group matching the "name" field (field:
Steps to reproduce:
- policy.yaml
"sg_is_default": "field:
"delete_
- user can still delete rules from 'default'
Changed in neutron: | |
assignee: | nobody → Rodolfo Alonso (rodolfo-alonso-hernandez) |
tags: |
added: rfe-a removed: rfe |
tags: |
added: rfe-approved removed: rfe-a |
Hi there! Thanks for your report.
My initial thought on this is that maybe if you want to prevent a user from modifying the security group of other user, using different projects might be a good idea for that, since then the user will be isolated on their project and not able to change the security groups or any other resource from a project they don't have access to.
However there might be a different use case I'm not aware of that cannot be resolved this way, I will be happy to know more about it. For now I'm setting this as opinion since this is expected behaviour and not a bug, but we can keep discussing and change the status as needed.