neutron

User who is not owner of the SG can create/delete rules in the shared SG

Bug #2101150 reported by Slawek Kaplonski
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
Slawek Kaplonski

Bug Description

If the SG is shared with other project using RBAC mechanism in Neutron, users from the target project can see and use such SG but can't modify it by default as by default modifying SGs is only allowed for admin and owner of the SG: https://github.com/openstack/neutron/blob/5c22bcca010e5bef285362bbca465b548c7ecd14/neutron/conf/policies/security_group.py#L153

But such user who just see SG as shared with them can still create or delete SG rules in such SG because for the SG rules there are other API policies and those don't check owner of the SG: https://github.com/openstack/neutron/blob/5c22bcca010e5bef285362bbca465b548c7ecd14/neutron/conf/policies/security_group.py#L214

Creating SG rule is like modifcation of the SG really thus IMO it should by default mimic API policies for the SGs and creation/deletion of the SG rules in such case should be allowed only for admin and owner of the SG. To do that we should change our default API policies for "create_security_group_rule" and "delete_security_group_rule" to "rule:admin_or_sg_owner"

Tags: api
Slawek Kaplonski (slaweq)
Changed in neutron:
importance: Medium → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/944022

Changed in neutron:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/944022
Committed: https://opendev.org/openstack/neutron/commit/dfea81a4bf6aa62f56d101f8a0cb168a02338d5c
Submitter: "Zuul (22348)"
Branch: master

commit dfea81a4bf6aa62f56d101f8a0cb168a02338d5c
Author: Slawek Kaplonski <email address hidden>
Date: Tue Mar 11 11:48:57 2025 +0100

    [S-RBAC] Fix policies for the SG rules API

    This patch fixes default policies for the Security Group Rules API so
    that user of the project who isn't owner of the SG but only sees it
    as shared one, can't now create or delete rules in such SG.

    Additionally this patch lowers numer of retries when parent object's id
    is looked up in the DB by the OwnerCheck policy rule to just one. If it
    will fail twice with NotFound exception, then there is no need to repeat
    it more times.

    Closes-bug: #2101150
    Change-Id: I23722d0ffabce0034548a5fa919980d02bacd91a

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/2024.2)

Fix proposed to branch: stable/2024.2
Review: https://review.opendev.org/c/openstack/neutron/+/944198

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/2024.1)

Fix proposed to branch: stable/2024.1
Review: https://review.opendev.org/c/openstack/neutron/+/944199

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/2023.2)

Fix proposed to branch: stable/2023.2
Review: https://review.opendev.org/c/openstack/neutron/+/944200

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 26.0.0.0rc1

This issue was fixed in the openstack/neutron 26.0.0.0rc1 Epoxy release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/2024.2)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/944198
Committed: https://opendev.org/openstack/neutron/commit/c6032567c1a648e09cfea73257b8f59f7817b352
Submitter: "Zuul (22348)"
Branch: stable/2024.2

commit c6032567c1a648e09cfea73257b8f59f7817b352
Author: Slawek Kaplonski <email address hidden>
Date: Tue Mar 11 11:48:57 2025 +0100

    [S-RBAC] Fix policies for the SG rules API

    This patch fixes default policies for the Security Group Rules API so
    that user of the project who isn't owner of the SG but only sees it
    as shared one, can't now create or delete rules in such SG.

    Additionally this patch lowers numer of retries when parent object's id
    is looked up in the DB by the OwnerCheck policy rule to just one. If it
    will fail twice with NotFound exception, then there is no need to repeat
    it more times.

    Closes-bug: #2101150
    Change-Id: I23722d0ffabce0034548a5fa919980d02bacd91a
    (cherry picked from commit dfea81a4bf6aa62f56d101f8a0cb168a02338d5c)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/2024.1)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/944199
Committed: https://opendev.org/openstack/neutron/commit/93dd241d22c4fbb24776ceee7b9f247a4fddbee7
Submitter: "Zuul (22348)"
Branch: stable/2024.1

commit 93dd241d22c4fbb24776ceee7b9f247a4fddbee7
Author: Slawek Kaplonski <email address hidden>
Date: Tue Mar 11 11:48:57 2025 +0100

    [S-RBAC] Fix policies for the SG rules API

    This patch fixes default policies for the Security Group Rules API so
    that user of the project who isn't owner of the SG but only sees it
    as shared one, can't now create or delete rules in such SG.

    Additionally this patch lowers numer of retries when parent object's id
    is looked up in the DB by the OwnerCheck policy rule to just one. If it
    will fail twice with NotFound exception, then there is no need to repeat
    it more times.

    Closes-bug: #2101150
    Change-Id: I23722d0ffabce0034548a5fa919980d02bacd91a
    (cherry picked from commit dfea81a4bf6aa62f56d101f8a0cb168a02338d5c)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/2023.2)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/944200
Committed: https://opendev.org/openstack/neutron/commit/be59c0c0f1aa101795dd7f06a6a8b209d46403bb
Submitter: "Zuul (22348)"
Branch: stable/2023.2

commit be59c0c0f1aa101795dd7f06a6a8b209d46403bb
Author: Slawek Kaplonski <email address hidden>
Date: Tue Mar 11 11:48:57 2025 +0100

    [S-RBAC] Fix policies for the SG rules API

    This patch fixes default policies for the Security Group Rules API so
    that user of the project who isn't owner of the SG but only sees it
    as shared one, can't now create or delete rules in such SG.

    Additionally this patch lowers numer of retries when parent object's id
    is looked up in the DB by the OwnerCheck policy rule to just one. If it
    will fail twice with NotFound exception, then there is no need to repeat
    it more times.

    Conflicts:
        neutron/tests/unit/conf/policies/test_security_group.py

    Closes-bug: #2101150
    Change-Id: I23722d0ffabce0034548a5fa919980d02bacd91a
    (cherry picked from commit dfea81a4bf6aa62f56d101f8a0cb168a02338d5c)
    (cherry picked from commit f23e6ca9f80b5bac338ec6a5d13e585251a19046)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.