create_subnet policy allows users to create subnet in the shared networks
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
neutron |
Fix Released
|
Medium
|
Slawek Kaplonski |
Bug Description
## Context
We normally provide external network as a shared resource so any users can use it.
But with this new scoped policy, users can create subnets in that external network even if they are not the member of admin project.
```
"create_subnet": "(rule:admin_only) or (role:member and project_
```
If i remove `(role:member and project_
## Expected result
Users should not be able to create subnets in shared networks or default networks if they are not the member of the networks' owned projects.
## Version infor
release: stable/zed
I was able to reproduce it in zed Devstack also. Btw, master Devstack worsk as expected.
## Workaround
We use deprecated rule `"create_
## Concern
- I am not sure why we need `(role:member and project_
- I didn't have a chance to check other new policies if they also have such a perm gap.
Changed in neutron: | |
importance: | Undecided → High |
importance: | High → Medium |
Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.