neutron

Reader can update object tag

Bug #2037002 reported by Vadym Markov
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
Rodolfo Alonso

Bug Description

Update of Neutron object tags ignores policies for this object update. So, reader user can update tags for all objects of his project

Reproduced on Devstack - Yoga. Newer releases up to master have no changes here, so also should be affected

Steps to reproduce:
All operations in default alt_demo project, which has all needed users provisioned by default

1. Create network object, i.e. floating ip using alt_demo user - as project admin
2. Re-login as alt_demo_reader and try to update tags for this floating

Tags are updated successfully, but reader user has no rights for floating update - "update_floatingip" policy enabled for at least member

Bernard Cafarelli (bcafarel)
tags: added: access-control
Revision history for this message
Bernard Cafarelli (bcafarel) wrote :

It is possible tags slipped by in RBAC.

Though while trying to reproduce this (fresh devstack from 2023-09-22), I got an issue with more generic reader role: after "source ~/devstack/openrc alt_demo_reader alt_demo" I could still do admin commands (creating/deleting network, ports, ...)

Revision history for this message
Rodolfo Alonso (rodolfo-alonso-hernandez) wrote :

That's correct. The "tag" plugin has its own API paths (get_tags, update_tags, etc) that are not considered in the policy checks.

Changed in neutron:
status: New → Confirmed
Rodolfo Alonso (rodolfo-alonso-hernandez)
Changed in neutron:
assignee: nobody → Rodolfo Alonso (rodolfo-alonso-hernandez)
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/896509

Changed in neutron:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/896509
Committed: https://opendev.org/openstack/neutron/commit/f9b91289a5c2948429e69e1b58098cec846fba99
Submitter: "Zuul (22348)"
Branch: master

commit f9b91289a5c2948429e69e1b58098cec846fba99
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Tue Sep 26 08:03:19 2023 +0000

    Add policy enforcer for "tags" service plugin

    The following resources have been updated with new policies for
    tags:
    * Port
    * Subnet
    * Network
    * Router
    * FloatingIP
    * NetworkSegmentRange
    * NetworkSegment
    * SecurityGroup
    * Trunk
    * Subnetpool

    The admin can now enforce specific policies for the resource tags
    for the creation, update and deletion actions.

    NOTE: a follow-up patch, with a new Launchpad bug reference, will
          be created to move the ``Tagging`` class from
          ``ExtensionDescriptor`` to ``APIExtensionDescriptor``, and
          refactor the ``TaggingController`` to be a standard
          ``neutron.api.v2.base.Controller``. Any API resource using
          the second controller will use the path used by the wsgi
          hooks, in particular the policy hook. That will make unnecessary
          to manually call the ``policy.enforce`` method from the
          extension class methods.

    Closes-Bug: #2037002
    Change-Id: I9f3e032739824f268db74c5a1b4f04d353742dbd

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 24.0.0.0b1

This issue was fixed in the openstack/neutron 24.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.