Reader can update object tag
Bug #2037002 reported by
Vadym Markov
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
High
|
Rodolfo Alonso |
Bug Description
Update of Neutron object tags ignores policies for this object update. So, reader user can update tags for all objects of his project
Reproduced on Devstack - Yoga. Newer releases up to master have no changes here, so also should be affected
Steps to reproduce:
All operations in default alt_demo project, which has all needed users provisioned by default
1. Create network object, i.e. floating ip using alt_demo user - as project admin
2. Re-login as alt_demo_reader and try to update tags for this floating
Tags are updated successfully, but reader user has no rights for floating update - "update_floatingip" policy enabled for at least member
tags: | added: access-control |
Changed in neutron: | |
assignee: | nobody → Rodolfo Alonso (rodolfo-alonso-hernandez) |
importance: | Undecided → High |
To post a comment you must log in.
It is possible tags slipped by in RBAC.
Though while trying to reproduce this (fresh devstack from 2023-09-22), I got an issue with more generic reader role: after "source ~/devstack/openrc alt_demo_reader alt_demo" I could still do admin commands (creating/deleting network, ports, ...)