2018-07-30 01:13:39 |
Felipe Monteiro |
bug |
|
|
added bug |
2018-07-30 01:14:28 |
Felipe Monteiro |
description |
* Description *
Using QA automation as well as manual CLI validation, it appears to me as though many Neutron extensions aren't enforcing RBAC at all. This is because the plugins like the "enforce_policy": True key/value pair in the extension code. Example: https://review.openstack.org/#/c/584217/2/neutron/extensions/subnet_service_types.py
This appears to be affecting many Neutron extensions.
* Pre-conditions *
1) Enable neutron-trunk plugin in local.conf by adding: enable_service neutron-trunk
2) Set create_trunk to "rule:admin_only" in /etc/neutron/policy.json, i.e.: "create_trunk": "rule:admin_only"
* Reproduction Steps *
1) Run the following CLI commands:
- openstack network create test-network
- openstack port create --enable --network test-network test-port
- openstack network trunk create --parent-port test-port --enable --project admin test-trunk
* Expected Output *
Expected result: trunk creation fails with a 403 Unauthorized.
* Actual Output *
Observed result: trunk creation succeeds.
* Affected Plugins *
As far as I can tell:
- subnet service type
- subnet segment_id
- trunks
- trunk subports
Possibly many more.
* Outstanding Patches *
Outstanding patches that begin fixing these issues:
- https://review.openstack.org/#/c/584217/ (subnet service type RBAC fix)
- https://review.openstack.org/#/c/584601/ (subnet segment_id RBAC fix)
Validation patches that identify some of these issues:
- https://review.openstack.org/#/c/584424/
- https://review.openstack.org/#/c/582388/ |
* Description *
Using QA automation as well as manual CLI validation, it appears to me as though many Neutron extensions aren't enforcing RBAC at all. This is because the extensions lack the "enforce_policy": True key/value pair in the extension resource definition code. Example: https://review.openstack.org/#/c/584217/2/neutron/extensions/subnet_service_types.py
This appears to be affecting many Neutron extensions.
* Pre-conditions *
1) Enable neutron-trunk plugin in local.conf by adding: enable_service neutron-trunk
2) Set create_trunk to "rule:admin_only" in /etc/neutron/policy.json, i.e.: "create_trunk": "rule:admin_only"
* Reproduction Steps *
1) Run the following CLI commands:
- openstack network create test-network
- openstack port create --enable --network test-network test-port
- openstack network trunk create --parent-port test-port --enable --project admin test-trunk
* Expected Output *
Expected result: trunk creation fails with a 403 Unauthorized.
* Actual Output *
Observed result: trunk creation succeeds.
* Affected Plugins *
As far as I can tell:
- subnet service type
- subnet segment_id
- trunks
- trunk subports
Possibly many more.
* Outstanding Patches *
Outstanding patches that begin fixing these issues:
- https://review.openstack.org/#/c/584217/ (subnet service type RBAC fix)
- https://review.openstack.org/#/c/584601/ (subnet segment_id RBAC fix)
Validation patches that identify some of these issues:
- https://review.openstack.org/#/c/584424/
- https://review.openstack.org/#/c/582388/ |
|
2018-07-30 01:21:10 |
Felipe Monteiro |
description |
* Description *
Using QA automation as well as manual CLI validation, it appears to me as though many Neutron extensions aren't enforcing RBAC at all. This is because the extensions lack the "enforce_policy": True key/value pair in the extension resource definition code. Example: https://review.openstack.org/#/c/584217/2/neutron/extensions/subnet_service_types.py
This appears to be affecting many Neutron extensions.
* Pre-conditions *
1) Enable neutron-trunk plugin in local.conf by adding: enable_service neutron-trunk
2) Set create_trunk to "rule:admin_only" in /etc/neutron/policy.json, i.e.: "create_trunk": "rule:admin_only"
* Reproduction Steps *
1) Run the following CLI commands:
- openstack network create test-network
- openstack port create --enable --network test-network test-port
- openstack network trunk create --parent-port test-port --enable --project admin test-trunk
* Expected Output *
Expected result: trunk creation fails with a 403 Unauthorized.
* Actual Output *
Observed result: trunk creation succeeds.
* Affected Plugins *
As far as I can tell:
- subnet service type
- subnet segment_id
- trunks
- trunk subports
Possibly many more.
* Outstanding Patches *
Outstanding patches that begin fixing these issues:
- https://review.openstack.org/#/c/584217/ (subnet service type RBAC fix)
- https://review.openstack.org/#/c/584601/ (subnet segment_id RBAC fix)
Validation patches that identify some of these issues:
- https://review.openstack.org/#/c/584424/
- https://review.openstack.org/#/c/582388/ |
* Description *
Using QA automation as well as manual CLI validation, it appears to me as though many Neutron extensions aren't enforcing RBAC at all. This is because the extensions lack the "enforce_policy": True key/value pair in the extension resource definition code. Example: https://review.openstack.org/#/c/584217/2/neutron/extensions/subnet_service_types.py
This appears to be affecting many Neutron extensions.
* Pre-conditions *
1) Enable neutron-trunk plugin in local.conf by adding: enable_service neutron-trunk
2) Set create_trunk to "rule:admin_only" in /etc/neutron/policy.json, i.e.: "create_trunk": "rule:admin_only"
3)
* Reproduction Steps *
1) Run the following CLI commands:
- openstack network create test-network
- openstack port create --enable --network test-network test-port
- openstack network trunk create --parent-port test-port --enable --project admin test-trunk
* Expected Output *
Expected result: trunk creation fails with a 403 Unauthorized.
* Actual Output *
Observed result: trunk creation succeeds.
* Affected Plugins *
As far as I can tell:
- subnet service type
- subnet segment_id
- trunks
- trunk subports
Possibly many more.
* Outstanding Patches *
Outstanding patches that begin fixing these issues:
- https://review.openstack.org/#/c/584217/ (subnet service type RBAC fix)
- https://review.openstack.org/#/c/584601/ (subnet segment_id RBAC fix)
Validation patches that identify some of these issues:
- https://review.openstack.org/#/c/584424/
- https://review.openstack.org/#/c/582388/ |
|
2018-07-30 01:22:13 |
Felipe Monteiro |
description |
* Description *
Using QA automation as well as manual CLI validation, it appears to me as though many Neutron extensions aren't enforcing RBAC at all. This is because the extensions lack the "enforce_policy": True key/value pair in the extension resource definition code. Example: https://review.openstack.org/#/c/584217/2/neutron/extensions/subnet_service_types.py
This appears to be affecting many Neutron extensions.
* Pre-conditions *
1) Enable neutron-trunk plugin in local.conf by adding: enable_service neutron-trunk
2) Set create_trunk to "rule:admin_only" in /etc/neutron/policy.json, i.e.: "create_trunk": "rule:admin_only"
3)
* Reproduction Steps *
1) Run the following CLI commands:
- openstack network create test-network
- openstack port create --enable --network test-network test-port
- openstack network trunk create --parent-port test-port --enable --project admin test-trunk
* Expected Output *
Expected result: trunk creation fails with a 403 Unauthorized.
* Actual Output *
Observed result: trunk creation succeeds.
* Affected Plugins *
As far as I can tell:
- subnet service type
- subnet segment_id
- trunks
- trunk subports
Possibly many more.
* Outstanding Patches *
Outstanding patches that begin fixing these issues:
- https://review.openstack.org/#/c/584217/ (subnet service type RBAC fix)
- https://review.openstack.org/#/c/584601/ (subnet segment_id RBAC fix)
Validation patches that identify some of these issues:
- https://review.openstack.org/#/c/584424/
- https://review.openstack.org/#/c/582388/ |
* Description *
Using QA automation as well as manual CLI validation, it appears to me as though many Neutron extensions aren't enforcing RBAC at all. This is because the extensions lack the "enforce_policy": True key/value pair in the extension resource definition code. Example: https://review.openstack.org/#/c/584217/2/neutron/extensions/subnet_service_types.py
This appears to be affecting many Neutron extensions.
* Pre-conditions *
1) Enable neutron-trunk plugin in local.conf by adding: enable_service neutron-trunk
2) Set create_trunk to "rule:admin_only" in /etc/neutron/policy.json, i.e.: "create_trunk": "rule:admin_only" or even "create_trunk": "!" which should deny absolutely everyone.
3) source ~/devstack/openrc demo demo or even source ~/devstack/openrc admin admin using the "!" rule.
* Reproduction Steps *
1) Run the following CLI commands:
- openstack network create test-network
- openstack port create --enable --network test-network test-port
- openstack network trunk create --parent-port test-port --enable --project demo test-trunk
* Expected Output *
Expected result: trunk creation fails with a 403 Unauthorized.
* Actual Output *
Observed result: trunk creation succeeds.
* Affected Plugins *
As far as I can tell:
- subnet service type
- subnet segment_id
- trunks
- trunk subports
Possibly many more.
* Outstanding Patches *
Outstanding patches that begin fixing these issues:
- https://review.openstack.org/#/c/584217/ (subnet service type RBAC fix)
- https://review.openstack.org/#/c/584601/ (subnet segment_id RBAC fix)
Validation patches that identify some of these issues:
- https://review.openstack.org/#/c/584424/
- https://review.openstack.org/#/c/582388/ |
|
2018-07-30 01:22:46 |
Felipe Monteiro |
description |
* Description *
Using QA automation as well as manual CLI validation, it appears to me as though many Neutron extensions aren't enforcing RBAC at all. This is because the extensions lack the "enforce_policy": True key/value pair in the extension resource definition code. Example: https://review.openstack.org/#/c/584217/2/neutron/extensions/subnet_service_types.py
This appears to be affecting many Neutron extensions.
* Pre-conditions *
1) Enable neutron-trunk plugin in local.conf by adding: enable_service neutron-trunk
2) Set create_trunk to "rule:admin_only" in /etc/neutron/policy.json, i.e.: "create_trunk": "rule:admin_only" or even "create_trunk": "!" which should deny absolutely everyone.
3) source ~/devstack/openrc demo demo or even source ~/devstack/openrc admin admin using the "!" rule.
* Reproduction Steps *
1) Run the following CLI commands:
- openstack network create test-network
- openstack port create --enable --network test-network test-port
- openstack network trunk create --parent-port test-port --enable --project demo test-trunk
* Expected Output *
Expected result: trunk creation fails with a 403 Unauthorized.
* Actual Output *
Observed result: trunk creation succeeds.
* Affected Plugins *
As far as I can tell:
- subnet service type
- subnet segment_id
- trunks
- trunk subports
Possibly many more.
* Outstanding Patches *
Outstanding patches that begin fixing these issues:
- https://review.openstack.org/#/c/584217/ (subnet service type RBAC fix)
- https://review.openstack.org/#/c/584601/ (subnet segment_id RBAC fix)
Validation patches that identify some of these issues:
- https://review.openstack.org/#/c/584424/
- https://review.openstack.org/#/c/582388/ |
* Description *
Using QA automation as well as manual CLI validation, it appears to me as though many Neutron extensions aren't enforcing RBAC at all. This is because the extensions lack the "enforce_policy": True key/value pair in the extension resource definition code. Example: https://review.openstack.org/#/c/584217/2/neutron/extensions/subnet_service_types.py
This appears to be affecting many Neutron extensions.
* Pre-conditions *
1) Enable neutron-trunk plugin in local.conf by adding: enable_service neutron-trunk
2) Set create_trunk to "rule:admin_only" in /etc/neutron/policy.json, i.e.: "create_trunk": "rule:admin_only" or even "create_trunk": "!" which should deny absolutely everyone.
3) source ~/devstack/openrc demo demo or even source ~/devstack/openrc admin admin after setting "create_trunk" with the "!" rule.
* Reproduction Steps *
1) Run the following CLI commands:
- openstack network create test-network
- openstack port create --enable --network test-network test-port
- openstack network trunk create --parent-port test-port --enable --project demo test-trunk
* Expected Output *
Expected result: trunk creation fails with a 403 Unauthorized.
* Actual Output *
Observed result: trunk creation succeeds.
* Affected Plugins *
As far as I can tell:
- subnet service type
- subnet segment_id
- trunks
- trunk subports
Possibly many more.
* Outstanding Patches *
Outstanding patches that begin fixing these issues:
- https://review.openstack.org/#/c/584217/ (subnet service type RBAC fix)
- https://review.openstack.org/#/c/584601/ (subnet segment_id RBAC fix)
Validation patches that identify some of these issues:
- https://review.openstack.org/#/c/584424/
- https://review.openstack.org/#/c/582388/ |
|
2018-07-30 14:02:34 |
Jeremy Stanley |
bug task added |
|
ossa |
|
2018-07-30 14:03:23 |
Jeremy Stanley |
ossa: status |
New |
Incomplete |
|
2018-07-30 14:03:44 |
Jeremy Stanley |
description |
* Description *
Using QA automation as well as manual CLI validation, it appears to me as though many Neutron extensions aren't enforcing RBAC at all. This is because the extensions lack the "enforce_policy": True key/value pair in the extension resource definition code. Example: https://review.openstack.org/#/c/584217/2/neutron/extensions/subnet_service_types.py
This appears to be affecting many Neutron extensions.
* Pre-conditions *
1) Enable neutron-trunk plugin in local.conf by adding: enable_service neutron-trunk
2) Set create_trunk to "rule:admin_only" in /etc/neutron/policy.json, i.e.: "create_trunk": "rule:admin_only" or even "create_trunk": "!" which should deny absolutely everyone.
3) source ~/devstack/openrc demo demo or even source ~/devstack/openrc admin admin after setting "create_trunk" with the "!" rule.
* Reproduction Steps *
1) Run the following CLI commands:
- openstack network create test-network
- openstack port create --enable --network test-network test-port
- openstack network trunk create --parent-port test-port --enable --project demo test-trunk
* Expected Output *
Expected result: trunk creation fails with a 403 Unauthorized.
* Actual Output *
Observed result: trunk creation succeeds.
* Affected Plugins *
As far as I can tell:
- subnet service type
- subnet segment_id
- trunks
- trunk subports
Possibly many more.
* Outstanding Patches *
Outstanding patches that begin fixing these issues:
- https://review.openstack.org/#/c/584217/ (subnet service type RBAC fix)
- https://review.openstack.org/#/c/584601/ (subnet segment_id RBAC fix)
Validation patches that identify some of these issues:
- https://review.openstack.org/#/c/584424/
- https://review.openstack.org/#/c/582388/ |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
* Description *
Using QA automation as well as manual CLI validation, it appears to me as though many Neutron extensions aren't enforcing RBAC at all. This is because the extensions lack the "enforce_policy": True key/value pair in the extension resource definition code. Example: https://review.openstack.org/#/c/584217/2/neutron/extensions/subnet_service_types.py
This appears to be affecting many Neutron extensions.
* Pre-conditions *
1) Enable neutron-trunk plugin in local.conf by adding: enable_service neutron-trunk
2) Set create_trunk to "rule:admin_only" in /etc/neutron/policy.json, i.e.: "create_trunk": "rule:admin_only" or even "create_trunk": "!" which should deny absolutely everyone.
3) source ~/devstack/openrc demo demo or even source ~/devstack/openrc admin admin after setting "create_trunk" with the "!" rule.
* Reproduction Steps *
1) Run the following CLI commands:
- openstack network create test-network
- openstack port create --enable --network test-network test-port
- openstack network trunk create --parent-port test-port --enable --project demo test-trunk
* Expected Output *
Expected result: trunk creation fails with a 403 Unauthorized.
* Actual Output *
Observed result: trunk creation succeeds.
* Affected Plugins *
As far as I can tell:
- subnet service type
- subnet segment_id
- trunks
- trunk subports
Possibly many more.
* Outstanding Patches *
Outstanding patches that begin fixing these issues:
- https://review.openstack.org/#/c/584217/ (subnet service type RBAC fix)
- https://review.openstack.org/#/c/584601/ (subnet segment_id RBAC fix)
Validation patches that identify some of these issues:
- https://review.openstack.org/#/c/584424/
- https://review.openstack.org/#/c/582388/ |
|
2018-07-30 14:03:59 |
Jeremy Stanley |
bug |
|
|
added subscriber Neutron Core Security reviewers |
2018-08-04 01:15:11 |
Jeremy Stanley |
description |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
* Description *
Using QA automation as well as manual CLI validation, it appears to me as though many Neutron extensions aren't enforcing RBAC at all. This is because the extensions lack the "enforce_policy": True key/value pair in the extension resource definition code. Example: https://review.openstack.org/#/c/584217/2/neutron/extensions/subnet_service_types.py
This appears to be affecting many Neutron extensions.
* Pre-conditions *
1) Enable neutron-trunk plugin in local.conf by adding: enable_service neutron-trunk
2) Set create_trunk to "rule:admin_only" in /etc/neutron/policy.json, i.e.: "create_trunk": "rule:admin_only" or even "create_trunk": "!" which should deny absolutely everyone.
3) source ~/devstack/openrc demo demo or even source ~/devstack/openrc admin admin after setting "create_trunk" with the "!" rule.
* Reproduction Steps *
1) Run the following CLI commands:
- openstack network create test-network
- openstack port create --enable --network test-network test-port
- openstack network trunk create --parent-port test-port --enable --project demo test-trunk
* Expected Output *
Expected result: trunk creation fails with a 403 Unauthorized.
* Actual Output *
Observed result: trunk creation succeeds.
* Affected Plugins *
As far as I can tell:
- subnet service type
- subnet segment_id
- trunks
- trunk subports
Possibly many more.
* Outstanding Patches *
Outstanding patches that begin fixing these issues:
- https://review.openstack.org/#/c/584217/ (subnet service type RBAC fix)
- https://review.openstack.org/#/c/584601/ (subnet segment_id RBAC fix)
Validation patches that identify some of these issues:
- https://review.openstack.org/#/c/584424/
- https://review.openstack.org/#/c/582388/ |
* Description *
Using QA automation as well as manual CLI validation, it appears to me as though many Neutron extensions aren't enforcing RBAC at all. This is because the extensions lack the "enforce_policy": True key/value pair in the extension resource definition code. Example: https://review.openstack.org/#/c/584217/2/neutron/extensions/subnet_service_types.py
This appears to be affecting many Neutron extensions.
* Pre-conditions *
1) Enable neutron-trunk plugin in local.conf by adding: enable_service neutron-trunk
2) Set create_trunk to "rule:admin_only" in /etc/neutron/policy.json, i.e.: "create_trunk": "rule:admin_only" or even "create_trunk": "!" which should deny absolutely everyone.
3) source ~/devstack/openrc demo demo or even source ~/devstack/openrc admin admin after setting "create_trunk" with the "!" rule.
* Reproduction Steps *
1) Run the following CLI commands:
- openstack network create test-network
- openstack port create --enable --network test-network test-port
- openstack network trunk create --parent-port test-port --enable --project demo test-trunk
* Expected Output *
Expected result: trunk creation fails with a 403 Unauthorized.
* Actual Output *
Observed result: trunk creation succeeds.
* Affected Plugins *
As far as I can tell:
- subnet service type
- subnet segment_id
- trunks
- trunk subports
Possibly many more.
* Outstanding Patches *
Outstanding patches that begin fixing these issues:
- https://review.openstack.org/#/c/584217/ (subnet service type RBAC fix)
- https://review.openstack.org/#/c/584601/ (subnet segment_id RBAC fix)
Validation patches that identify some of these issues:
- https://review.openstack.org/#/c/584424/
- https://review.openstack.org/#/c/582388/ |
|
2018-08-04 01:15:19 |
Jeremy Stanley |
information type |
Private Security |
Public Security |
|
2018-08-07 07:40:33 |
Bence Romsics |
bug |
|
|
added subscriber Bence Romsics |
2018-08-30 20:03:24 |
OpenStack Infra |
neutron: status |
New |
In Progress |
|
2018-08-30 20:03:24 |
OpenStack Infra |
neutron: assignee |
|
Mykola Yakovliev (vegasq) |
|
2020-09-03 11:27:06 |
Slawek Kaplonski |
neutron: status |
In Progress |
Confirmed |
|
2021-08-05 17:43:08 |
Jeremy Stanley |
ossa: status |
Incomplete |
Won't Fix |
|
2021-08-05 17:45:58 |
Jeremy Stanley |
tags |
|
security |
|
2021-08-05 17:47:11 |
Jeremy Stanley |
information type |
Public Security |
Public |
|