All neutron entities are visible across all projects with Identity v3
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenContrail |
New
|
Undecided
|
Deepinder Setia |
Bug Description
Users encountered that Neutron with OpenContrail plugin and v3 authentication does not respect tokens' scope while giving information back to user.
As a consequence, all Neutron entities created by admin of project A will be visible to admin of project B, which can lead to Openstack malfunction if entities with same names are present in both projects.
For example:
Admin of project A creates security group named "test-secgroup". Admin of project B does the same, then admin of project B tries to boot VM:
# nova boot --image my-cirros-image --flavor m1.tiny --security-group test-secgroup --nic net-id=
Which results in error:
ERROR (Conflict): Multiple security_group matches found for name 'test-secgroup', use an ID to be more specific. (HTTP 409) (Request-ID: req-169fab15-
Moreover, admin of project B is able to edit and even delete entities created by admin of project A (and vice versa), which may be a security concern.
Cross-project visibility was verified and confirmed for following Neutron entities:
- Network
- Security Group
- Router
- LB pool
Our clouds use Contrail 2.0.1 build 41 and 2.0.1 build 43. Idenitity v3 auth with LDAP backend is used.
Changed in opencontrail: | |
assignee: | nobody → Deepinder Setia (dsetia) |
tags: | added: config |