Bug #1824248 “Security Group filtering hides rules from user” : Bugs : OpenStack Security Advisory

Bug Description

Manage Rules part of the GUI hides the rules currently visible in the Launch Instance modal window.

It allows a malicious admin to add backdoor access rules that might be later added to VMs without the knowledge of owner of those VMs.

When sending GET request as below, it responds only with the rules that are created by user and this happens when using Manage Rules part of the GUI: <WSGIRequest: GET '/project/security_groups/3a833936-f485-4a37-bb5b-d4694c7e18eb/'>

On the other hand when using GET request as below, it responds with all SG and it includes all rules, and there is no filtering and this is used in Launch Instance modal window: <WSGIRequest: GET '/api/network/securitygroups/'>

Here is example of rules display in Manage Rules part of GUI:

> /opt/stack/horizon/openstack_dashboard/dashboards/project/security_groups/views.py(50)_get_data()
-> return api.neutron.security_group_get(self.request, sg_id)
(Pdb) l
45 @memoized.memoized_method
46 def _get_data(self):
47 sg_id = filters.get_int_or_uuid(self.kwargs['security_group_id'])
48 try:
49 from remote_pdb import RemotePdb; RemotePdb('127.0.0.1', 444).set_trace()
50 -> return api.neutron.security_group_get(self.request, sg_id)
51 except Exception:
52 redirect = reverse('horizon:project:security_groups:index')
53 exceptions.handle(self.request,
54 _('Unable to retrieve security group.'),
55 redirect=redirect)
(Pdb) p api.neutron.security_group_get(self.request, sg_id)
<SecurityGroup: {'description': 'Default security group', 'tags': [], 'tenant_id': '4e6e476afd784a92b295f139c429d596', 'created_at': '2019-03-27T00:40:38Z', 'updated_at': '2019-04-09T06:44:45Z', 'security_group_rules': [{'direction': 'ingress', 'protocol': None, 'description': None, 'tags': [], 'port_range_max': None, 'updated_at': '2019-03-27T00:40:38Z', 'revision_number': 0, 'id': '14088bd6-79f7-4e42-b3fb-566a8ec988d8', 'remote_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'remote_ip_prefix': None, 'created_at': '2019-03-27T00:40:38Z', 'security_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'tenant_id': '4e6e476afd784a92b295f139c429d596', 'port_range_min': None, 'ethertype': 'IPv4', 'project_id': '4e6e476afd784a92b295f139c429d596'}, {'direction': 'egress', 'protocol': None, 'description': None, 'tags': [], 'port_range_max': None, 'updated_at': '2019-03-27T00:40:39Z', 'revision_number': 0, 'id': '9c246f89-5d05-4ad7-b350-786bbe1813f0', 'remote_group_id': None, 'remote_ip_prefix': '::/0', 'created_at': '2019-03-27T00:40:39Z', 'security_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'tenant_id': '4e6e476afd784a92b295f139c429d596', 'port_range_min': None, 'ethertype': 'IPv6', 'project_id': '4e6e476afd784a92b295f139c429d596'}, {'direction': 'egress', 'protocol': None, 'description': None, 'tags': [], 'port_range_max': None, 'updated_at': '2019-03-27T00:40:39Z', 'revision_number': 0, 'id': 'c7df68c0-05c3-48d9-ac1d-671b9618a7d9', 'remote_group_id': None, 'remote_ip_prefix': '0.0.0.0/0', 'created_at': '2019-03-27T00:40:39Z', 'security_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'tenant_id': '4e6e476afd784a92b295f139c429d596', 'port_range_min': None, 'ethertype': 'IPv4', 'project_id': '4e6e476afd784a92b295f139c429d596'}, {'direction': 'ingress', 'protocol': None, 'description': None, 'tags': [], 'port_range_max': None, 'updated_at': '2019-03-27T00:40:39Z', 'revision_number': 0, 'id': 'ebf4e6f1-0a62-40c0-9655-328aa2697348', 'remote_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'remote_ip_prefix': None, 'created_at': '2019-03-27T00:40:39Z', 'security_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'tenant_id': '4e6e476afd784a92b295f139c429d596', 'port_range_min': None, 'ethertype': 'IPv6', 'project_id': '4e6e476afd784a92b295f139c429d596'}], 'revision_number': 3, 'project_id': '4e6e476afd784a92b295f139c429d596', 'id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'name': 'default', 'rules': [<SecurityGroupRule: {'id': '14088bd6-79f7-4e42-b3fb-566a8ec988d8', 'parent_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'direction': 'ingress', 'ethertype': 'IPv4', 'ip_protocol': None, 'from_port': None, 'to_port': None, 'description': None, 'ip_range': {}, 'group': {'name': 'default'}}>, <SecurityGroupRule: {'id': '9c246f89-5d05-4ad7-b350-786bbe1813f0', 'parent_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'direction': 'egress', 'ethertype': 'IPv6', 'ip_protocol': None, 'from_port': None, 'to_port': None, 'description': None, 'ip_range': {'cidr': '::/0'}, 'group': {}}>, <SecurityGroupRule: {'id': 'c7df68c0-05c3-48d9-ac1d-671b9618a7d9', 'parent_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'direction': 'egress', 'ethertype': 'IPv4', 'ip_protocol': None, 'from_port': None, 'to_port': None, 'description': None, 'ip_range': {'cidr': '0.0.0.0/0'}, 'group': {}}>, <SecurityGroupRule: {'id': 'ebf4e6f1-0a62-40c0-9655-328aa2697348', 'parent_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'direction': 'ingress', 'ethertype': 'IPv6', 'ip_protocol': None, 'from_port': None, 'to_port': None, 'description': None, 'ip_range': {}, 'group': {'name': 'default'}}>]}>
(Pdb)

(Pdb) p self.request
<WSGIRequest: GET '/project/security_groups/3a833936-f485-4a37-bb5b-d4694c7e18eb/'>

As you might have noticed there are no ports access 44 and 22 (SSH)

And from the Launch Instance Modal Window, as well as CLI we can see that there are two more rules that are invisible for user, port 44 and 22 (SSH) as displayed below:

> /opt/stack/horizon/openstack_dashboard/api/rest/network.py(47)get()
-> return {'items': [sg.to_dict() for sg in security_groups]}
(Pdb) l
42 """
43
44 security_groups = api.neutron.security_group_list(request)
45 from remote_pdb import RemotePdb; RemotePdb('127.0.0.1', 444).set_trace()
46
47 -> return {'items': [sg.to_dict() for sg in security_groups]}
48
49
50 @urls.register
51 class FloatingIP(generic.View):
52 """API for a single floating IP address."""
(Pdb) p security_groups
[<SecurityGroup: {'description': 'Default security group', 'tags': [], 'tenant_id': '4e6e476afd784a92b295f139c429d596', 'created_at': '2019-03-27T00:40:38Z', 'updated_at': '2019-04-09T06:44:45Z', 'security_group_rules': [{'direction': 'ingress', 'protocol': None, 'description': None, 'tags': [], 'port_range_max': None, 'updated_at': '2019-03-27T00:40:38Z', 'revision_number': 0, 'id': '14088bd6-79f7-4e42-b3fb-566a8ec988d8', 'remote_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'remote_ip_prefix': None, 'created_at': '2019-03-27T00:40:38Z', 'security_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'tenant_id': '4e6e476afd784a92b295f139c429d596', 'port_range_min': None, 'ethertype': 'IPv4', 'project_id': '4e6e476afd784a92b295f139c429d596'}, {'direction': 'ingress', 'protocol': 'tcp', 'description': '', 'tags': [], 'port_range_max': 22, 'updated_at': '2019-04-09T03:30:43Z', 'revision_number': 0, 'id': '2a2e4a88-c837-40b9-a6ef-dd044d2edfe1', 'remote_group_id': None, 'remote_ip_prefix': '0.0.0.0/0', 'created_at': '2019-04-09T03:30:43Z', 'security_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'tenant_id': '41fb025277044aabab7537a70616d575', 'port_range_min': 22, 'ethertype': 'IPv4', 'project_id': '41fb025277044aabab7537a70616d575'}, {'direction': 'egress', 'protocol': None, 'description': None, 'tags': [], 'port_range_max': None, 'updated_at': '2019-03-27T00:40:39Z', 'revision_number': 0, 'id': '9c246f89-5d05-4ad7-b350-786bbe1813f0', 'remote_group_id': None, 'remote_ip_prefix': '::/0', 'created_at': '2019-03-27T00:40:39Z', 'security_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'tenant_id': '4e6e476afd784a92b295f139c429d596', 'port_range_min': None, 'ethertype': 'IPv6', 'project_id': '4e6e476afd784a92b295f139c429d596'}, {'direction': 'egress', 'protocol': None, 'description': None, 'tags': [], 'port_range_max': None, 'updated_at': '2019-03-27T00:40:39Z', 'revision_number': 0, 'id': 'c7df68c0-05c3-48d9-ac1d-671b9618a7d9', 'remote_group_id': None, 'remote_ip_prefix': '0.0.0.0/0', 'created_at': '2019-03-27T00:40:39Z', 'security_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'tenant_id': '4e6e476afd784a92b295f139c429d596', 'port_range_min': None, 'ethertype': 'IPv4', 'project_id': '4e6e476afd784a92b295f139c429d596'}, {'direction': 'ingress', 'protocol': 'tcp', 'description': '', 'tags': [], 'port_range_max': 44, 'updated_at': '2019-04-09T06:44:45Z', 'revision_number': 0, 'id': 'db350a38-26c4-4e9c-ae8d-25cc2c5d2025', 'remote_group_id': None, 'remote_ip_prefix': '0.0.0.0/0', 'created_at': '2019-04-09T06:44:45Z', 'security_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'tenant_id': '41fb025277044aabab7537a70616d575', 'port_range_min': 44, 'ethertype': 'IPv4', 'project_id': '41fb025277044aabab7537a70616d575'}, {'direction': 'ingress', 'protocol': None, 'description': None, 'tags': [], 'port_range_max': None, 'updated_at': '2019-03-27T00:40:39Z', 'revision_number': 0, 'id': 'ebf4e6f1-0a62-40c0-9655-328aa2697348', 'remote_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'remote_ip_prefix': None, 'created_at': '2019-03-27T00:40:39Z', 'security_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'tenant_id': '4e6e476afd784a92b295f139c429d596', 'port_range_min': None, 'ethertype': 'IPv6', 'project_id': '4e6e476afd784a92b295f139c429d596'}], 'revision_number': 3, 'project_id': '4e6e476afd784a92b295f139c429d596', 'id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'name': 'default', 'rules': [<SecurityGroupRule: {'id': '14088bd6-79f7-4e42-b3fb-566a8ec988d8', 'parent_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'direction': 'ingress', 'ethertype': 'IPv4', 'ip_protocol': None, 'from_port': None, 'to_port': None, 'description': None, 'ip_range': {}, 'group': {'name': 'default'}}>, <SecurityGroupRule: {'id': '2a2e4a88-c837-40b9-a6ef-dd044d2edfe1', 'parent_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'direction': 'ingress', 'ethertype': 'IPv4', 'ip_protocol': 'tcp', 'from_port': 22, 'to_port': 22, 'description': '', 'ip_range': {'cidr': '0.0.0.0/0'}, 'group': {}}>, <SecurityGroupRule: {'id': '9c246f89-5d05-4ad7-b350-786bbe1813f0', 'parent_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'direction': 'egress', 'ethertype': 'IPv6', 'ip_protocol': None, 'from_port': None, 'to_port': None, 'description': None, 'ip_range': {'cidr': '::/0'}, 'group': {}}>, <SecurityGroupRule: {'id': 'c7df68c0-05c3-48d9-ac1d-671b9618a7d9', 'parent_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'direction': 'egress', 'ethertype': 'IPv4', 'ip_protocol': None, 'from_port': None, 'to_port': None, 'description': None, 'ip_range': {'cidr': '0.0.0.0/0'}, 'group': {}}>, <SecurityGroupRule: {'id': 'db350a38-26c4-4e9c-ae8d-25cc2c5d2025', 'parent_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'direction': 'ingress', 'ethertype': 'IPv4', 'ip_protocol': 'tcp', 'from_port': 44, 'to_port': 44, 'description': '', 'ip_range': {'cidr': '0.0.0.0/0'}, 'group': {}}>, <SecurityGroupRule: {'id': 'ebf4e6f1-0a62-40c0-9655-328aa2697348', 'parent_group_id': '3a833936-f485-4a37-bb5b-d4694c7e18eb', 'direction': 'ingress', 'ethertype': 'IPv6', 'ip_protocol': None, 'from_port': None, 'to_port': None, 'description': None, 'ip_range': {}, 'group': {'name': 'default'}}>]}>]
(Pdb)

(Pdb) p request
<WSGIRequest: GET '/api/network/securitygroups/'>

Thank you,
Robin

See original description

Tags: Edit Tag help

Gage Hugo (gagehugo) wrote on 2019-04-10:

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

description:	updated
Changed in ossa:
status:	New → Incomplete

Robin Cernin (rcernin) wrote on 2019-04-11:

There is easy reproducer:

1. Source the admin credentials

2. Add a security group rule to someone else project 'default' group

3. Login into Horizon as the user who owns that modified security group

4. Navigate to Network -> Security Groups -> Manage Rules for 'default' group

5. The rules are not visible as the API doesn't return see Bug description

It allows a malicious admin to add backdoor access rules that might be later added to VMs without the knowledge of owner of those VMs.

Akihiro Motoki (amotoki) wrote on 2019-04-11:

This is not an issue specific to horizon. This is the behavior of neutron. This is an operation example: http://paste.openstack.org/show/749157/

Question to the bug author: Is it specific to horizon?

Akihiro Motoki (amotoki) wrote on 2019-04-11:

In OpenStack deployments, admin role has a lot of power and this is not specific to this case reported here.
I think this is the security model we adopt now.

On the other hand, neutron needs to allow operators to configure a policy for create_security_group_rule. If it does not work, this is another issue and we (as my neutron team hat) should fix it. I will check the current behavior.

Akihiro Motoki (amotoki) wrote on 2019-04-11:

I added 'neutron' as affected projects based on the above analysis.

Robin Cernin (rcernin) wrote on 2019-04-11:

From Security perspective we should be transparent. I don't have much voice here but I would vote for exposing all of the rules in the Manage Rules part of the GUI rather hiding some rules from the user.

Robin Cernin (rcernin) wrote on 2019-04-11:

> Question to the bug author: Is it specific to horizon?

This is neutron related.

Akihiro Motoki (amotoki) wrote on 2019-04-11:

Horizon itself applies no filtering on API responses from neutron, so there is nothing to do in the horizon side and this needs to be discussed as neutron API behavior. It is not specific to GUI. It is same for CLI and API. As horizon, this is related to horizon but there is no room that horizon can do. All need to be discussed as neutron perspective.

Robin Cernin (rcernin) on 2019-04-11

no longer affects:

horizon

Jeremy Stanley (fungi) wrote on 2019-04-11:

In determining whether we should lift the embargo on this discussion, it would be useful to know if there are already plenty of other ways for an admin to backdoor network access controls besides the one specifically raised in this report.

Brian Haley (brian-haley) wrote on 2019-04-15:

#10

I guess I would agree with what Robin said - we should be transparent and at least show all the rules in the security group, even if the user can't update/delete some of them.

Regarding other ways to backdoor into an instance, or at least possibly get network access - in a related way I suppose it would be similar if an admin created a security group with a rule and added it to the instance. I'm guessing that SG wouldn't be visible either, but it's rule would be applied.

Jeremy Stanley (fungi) wrote on 2019-04-15:

#11

In that case, if it's already possible for an admin to create security groups which apply to an instance but are invisible to non-admins, and that is seen as a feature, then the ability for an admin to create a rule a non-admin can't see in a security group they normally can see doesn't seem like an added risk.

Am I understanding your comment correctly, Brian?

Brian Haley (brian-haley) wrote on 2019-04-15:

#12

Jeremy - I wouldn't call it a feature, just a (possible) other way to have a security group rule apply to an instance without the owner's knowledge. I just wanted to raise it to whoever fixes the rules to make sure they take one step up to the group as well. I guess the assumption has always been you trust your admin to some point to not do such things.

Jeremy Stanley (fungi) wrote on 2019-04-15:

#13

And this also assumes the admin in question lacks SSH access to the hypervisor host, control of the software deployed, or any of a myriad of other ways to have a similar influence over network filtering policy. Unfortunately I don't know enough about how typical of a scenario that is to be able to gauge whether we can safely continue the discussion and any related patch development in public. Hopefully someone who is subscribed to this bug has more operational insight than I do and can make a guess.

Slawek Kaplonski (slaweq) wrote on 2019-04-15:

#14

I just created what Brian said. And for security groups attached for port it works differently. Even if group is owned by other tenant than project and I was able to see all sec groups used by port. See http://paste.openstack.org/show/749325/

So IMO we should fix it in neutron and display rules assigned to security group, no matter to which project it belongs.

Brian Haley (brian-haley) wrote on 2019-04-15:

#15

Slawek - thanks for testing that out, but I did notice something in the paste. Although the tenant could see the security group ID, it couldn't list the rules associated with it, so there is still the possibility of a hidden rule allowing port access.

Slawek Kaplonski (slaweq) wrote on 2019-04-16:

#16

@Brian: yes, that is correct. But still user can at least see that admin attached SOME additional security group(s) to the port. If admin will attach additional rules to user's SG than user will not be aware of it at all.

Robin Cernin (rcernin) wrote on 2019-04-16:

#17

@slaweq: There is a way that user can get aware of it, if you open modal window of "Launch Instance" The SGs/rules there are unfiltered.

Slawek Kaplonski (slaweq) wrote on 2019-04-19:

#18

@Robin: I didn't know that. Is Horizon getting them as an admin maybe in this modal window? Or how it is different than in other places?
I think I was checking it with CLI and I didn't saw such rules but I will have to confirm that once again.

Robin Cernin (rcernin) wrote on 2019-04-19:

#19

@Slaweq I checked and it seems different API call:

<WSGIRequest: GET '/project/security_groups/3a833936-f485-4a37-bb5b-d4694c7e18eb/'>

<WSGIRequest: GET '/api/network/securitygroups/'>

The last one is used in modal window and it does not have any filtering. Shows all rules.

Jeremy Stanley (fungi) wrote on 2019-04-22:

#20

So admin-added rules appear in the the Launch Instance modal, just not the normal Manage Security Groups view? If so, then coupling this with the fact that it relies on a malicious service admin to actually pull off any attack of this sort, I think we should be able to continue the discussion in public. I also lean toward categorizing this as a security hardening opportunity rather than a vulnerability in need of an advisory as it's at best only partly capable of hiding any "backdoor" network access rules.

Slawek Kaplonski (slaweq) wrote on 2019-04-23:

#21

@Robin: thx for info.
I know that "GET /v2.0/security-groups/79d6ff90-598c-425a-b0b9-bfaa370dcbc9" is call to neutron API for sure and this one don't shows rules which not belongs to user's tenant.
But I have no idea what is GET /api/network/securitygroups - is it some call to Nova's api maybe, or is it something "internal" for Horizon?

@Jeremy: based on what I wrote above, I'm not sure that it isn't security issue from Neutron point of view. I don't know the way how user would be able to see such "extra" rules created by admin for his SG.
But I also don't think that this should still be keeped as private bug. It may also be "vulnerable" if admin user want's it. And if someone is admin already than probably he can do much more than only add some "hidden" security group rule.

Robin Cernin (rcernin) wrote on 2019-04-24:

#22

@Slaweq:
>I don't know the way how user would be able to see such "extra" rules created by admin for his SG.

Try adding rule as admin to demo, then login as demo and go to Compute -> Launch Instance -> it opens a modal window, switch to Security Groups -> Expand default security group and you should see the rules there created by admin.

Slawek Kaplonski (slaweq) wrote on 2019-04-25:

#23

@Robin: Yes, I understand how it can be checked via horizon. I'm now wondering what API calls Horizon is doing underneath that it has different results. And I don't know what is exactly "GET /api/network/securitygroups" call.
Maybe Akihiro or Brina will know it?

Brian Haley (brian-haley) wrote on 2019-04-25:

#24

I don't know about the GET, but looking at the horizon code it just uses the neutronclient library to make a list_security_groups() call. It doesn't seem to be using the admin role either.

Jeremy Stanley (fungi) wrote on 2019-05-20:

#25

Does anyone object to continuing this discussion in public? Based on recent comments it seems that while there is still some confusion over which API calls Horizon is relying on, there are ways for a normal user to find these rules in the UI. Also, I doubt "malicious admin" is something we can reasonably expect to protect users against in the first place.

Tristan Cacqueray (tristan-cacqueray) wrote on 2019-05-20:

#26

+1 to switching this to public based on above comments.

Matthias Runge (mrunge) wrote on 2019-05-20:

#27

In my understanding, there should be nothing exposable by horizon, which was not already known to the user. Showing data which could be accessed by the user via other ways (and still using the same credentials) is not a security breach in my view.

Jeremy Stanley (fungi) wrote on 2019-05-20:

#28

Matthias: The concern raised by this report is actually the opposite... that it's possible for an admin to "hide" some nefarious security group rules from normal users (though it turns out that's only partly effective if the users know which modal to look in).

Slawek Kaplonski (slaweq) wrote on 2019-05-20:

#29

I also think that this can be switched to be public.
@Matthias, so do You think that user (owner of security group) shouldn't see any rule which belongs to this group but is created by different user (admin)?
IMO user should be able to see such rules but shouldn't be able to modify or delete them.

Jeremy Stanley (fungi) wrote on 2019-05-20:

#30

Seems there's support for switching this to public and no real disagreement with my suggestion a month ago to treat this as a security hardening opportunity rather than a vulnerability, so I'll triage it publicly as such now and we can continue to debate/fix without any further embargo.

Treating as a class D report per https://security.openstack.org/vmt-process.html#incident-report-taxonomy .

description:	updated
information type:	Private Security → Public
Changed in ossa:
status:	Incomplete → Won't Fix
tags:	added: security

OpenStack Infra (hudson-openstack) wrote on 2019-05-20: Fix proposed to neutron (master)

#31

Fix proposed to branch: master
Review: https://review.opendev.org/660174

Changed in neutron:
assignee:	nobody → Slawek Kaplonski (slaweq)
status:	New → In Progress

OpenStack Infra (hudson-openstack) wrote on 2019-05-20: Related fix proposed to neutron-tempest-plugin (master)

#32

Related fix proposed to branch: master
Review: https://review.opendev.org/660175

OpenStack Infra (hudson-openstack) wrote on 2019-05-24: Fix proposed to neutron (stable/stein)

#33

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/661281

OpenStack Infra (hudson-openstack) wrote on 2019-05-24: Fix proposed to neutron (stable/rocky)

#34

Fix proposed to branch: stable/rocky
Review: https://review.opendev.org/661283

OpenStack Infra (hudson-openstack) wrote on 2019-05-24: Fix proposed to neutron (stable/queens)

#35

Fix proposed to branch: stable/queens
Review: https://review.opendev.org/661284

OpenStack Infra (hudson-openstack) wrote on 2019-05-25: Fix merged to neutron (master)

#36

Reviewed: https://review.opendev.org/660174
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=1920a37a94b7a9589dcf83f6ff0765068560dbf8
Submitter: Zuul
Branch: master

commit 1920a37a94b7a9589dcf83f6ff0765068560dbf8
Author: Slawek Kaplonski <email address hidden>
Date: Mon May 20 18:47:18 2019 +0200

Show all SG rules belong to SG in group's details

    If security group contains rule(s) which were created by different
    user (admin), owner of this security group should see such rules
    even if those rules don't belong to him.

This patch changes to use admin_context to get security group rules
in get_security_group() method to achieve that.

Test to cover such case is added in neutron-tempest-plugin repo.

Change-Id: I890c81bb6eabc5caa620ed4fcc4dc88ebfa6e1b0
Closes-Bug: #1824248

Changed in neutron:
status:	In Progress → Fix Released

OpenStack Infra (hudson-openstack) wrote on 2019-05-28: Fix merged to neutron (stable/stein)

#37

Reviewed: https://review.opendev.org/661281
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=acd081c298052e678eb2ff74434d1529544088d8
Submitter: Zuul
Branch: stable/stein

commit acd081c298052e678eb2ff74434d1529544088d8
Author: Slawek Kaplonski <email address hidden>
Date: Mon May 20 18:47:18 2019 +0200

Show all SG rules belong to SG in group's details

    If security group contains rule(s) which were created by different
    user (admin), owner of this security group should see such rules
    even if those rules don't belong to him.

This patch changes to use admin_context to get security group rules
in get_security_group() method to achieve that.

Test to cover such case is added in neutron-tempest-plugin repo.

    Change-Id: I890c81bb6eabc5caa620ed4fcc4dc88ebfa6e1b0
    Closes-Bug: #1824248
    (cherry picked from commit 1920a37a94b7a9589dcf83f6ff0765068560dbf8)

tags:

added: in-stable-stein

OpenStack Infra (hudson-openstack) wrote on 2019-05-28: Fix merged to neutron (stable/rocky)

#38

Reviewed: https://review.opendev.org/661283
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=252d80058cacc797fbfb970ad42031efe301b0e2
Submitter: Zuul
Branch: stable/rocky

commit 252d80058cacc797fbfb970ad42031efe301b0e2
Author: Slawek Kaplonski <email address hidden>
Date: Mon May 20 18:47:18 2019 +0200

Show all SG rules belong to SG in group's details

    If security group contains rule(s) which were created by different
    user (admin), owner of this security group should see such rules
    even if those rules don't belong to him.

This patch changes to use admin_context to get security group rules
in get_security_group() method to achieve that.

Test to cover such case is added in neutron-tempest-plugin repo.

Conflicts:
neutron/db/securitygroups_db.py

    Change-Id: I890c81bb6eabc5caa620ed4fcc4dc88ebfa6e1b0
    Closes-Bug: #1824248
    (cherry picked from commit 1920a37a94b7a9589dcf83f6ff0765068560dbf8)

tags:	added: in-stable-rocky
tags:	added: in-stable-queens

OpenStack Infra (hudson-openstack) wrote on 2019-05-28: Fix merged to neutron (stable/queens)

#39

Reviewed: https://review.opendev.org/661284
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=e02b66a858b552783d442b52e08f296c849951db
Submitter: Zuul
Branch: stable/queens

commit e02b66a858b552783d442b52e08f296c849951db
Author: Slawek Kaplonski <email address hidden>
Date: Mon May 20 18:47:18 2019 +0200

Show all SG rules belong to SG in group's details

    If security group contains rule(s) which were created by different
    user (admin), owner of this security group should see such rules
    even if those rules don't belong to him.

This patch changes to use admin_context to get security group rules
in get_security_group() method to achieve that.

Test to cover such case is added in neutron-tempest-plugin repo.

Conflicts:
neutron/db/securitygroups_db.py

    Change-Id: I890c81bb6eabc5caa620ed4fcc4dc88ebfa6e1b0
    Closes-Bug: #1824248
    (cherry picked from commit 1920a37a94b7a9589dcf83f6ff0765068560dbf8)
    (cherry picked from commit 252d80058cacc797fbfb970ad42031efe301b0e2)

OpenStack Infra (hudson-openstack) wrote on 2019-05-28: Related fix merged to neutron-tempest-plugin (master)

#40

Reviewed: https://review.opendev.org/660175
Committed: https://git.openstack.org/cgit/openstack/neutron-tempest-plugin/commit/?id=87c3f941a3dd168d64226a4e238545ed69e05383
Submitter: Zuul
Branch: master

commit 87c3f941a3dd168d64226a4e238545ed69e05383
Author: Slawek Kaplonski <email address hidden>
Date: Mon May 20 18:50:53 2019 +0200

Add API test case to check if SG displays all rules

    This patch adds new API test which checks if owner of security group
    can see rules which belongs to his security group even if rule was
    created and belongs to other user (admin).

Patch for master branch:
Depends-On: https://review.opendev.org/660174

Backport to stable/Stein:
Depends-On: https://review.opendev.org/661281

Backport to stable/Rocky:
Depends-On: https://review.opendev.org/661283

Backport to stable/Queens:
Depends-On: https://review.opendev.org/661284

Change-Id: I728cd8252d27e27e91bd95e4734d9db470dee35a
Related-Bug: #1824248

Bernard Cafarelli (bcafarel) on 2019-06-19

tags:

added: neutron-proactive-backport-potential

ZhangChi (chzhang8) wrote on 2019-06-25:

#42

https://review.opendev.org/#/c/660174/
This solution patch can result in another bug as follows:
https://bugs.launchpad.net/tricircle/+bug/1831848

OpenStack Infra (hudson-openstack) wrote on 2019-07-01: Fix included in openstack/neutron 13.0.4

#43

This issue was fixed in the openstack/neutron 13.0.4 release.

OpenStack Infra (hudson-openstack) wrote on 2019-07-01: Fix included in openstack/neutron 14.0.2

#44

This issue was fixed in the openstack/neutron 14.0.2 release.

OpenStack Infra (hudson-openstack) wrote on 2019-07-04: Fix included in openstack/neutron 12.1.0

#45

This issue was fixed in the openstack/neutron 12.1.0 release.

OpenStack Infra (hudson-openstack) wrote on 2019-09-12: Fix proposed to neutron (master)

#46

Fix proposed to branch: master
Review: https://review.opendev.org/681910

OpenStack Infra (hudson-openstack) wrote on 2019-09-12: Related fix proposed to neutron-tempest-plugin (master)

#47

Related fix proposed to branch: master
Review: https://review.opendev.org/681912

OpenStack Infra (hudson-openstack) wrote on 2019-09-19: Fix included in openstack/neutron 15.0.0.0b1

#48

This issue was fixed in the openstack/neutron 15.0.0.0b1 development milestone.

OpenStack Infra (hudson-openstack) wrote on 2019-10-15: Fix proposed to neutron (stable/train)

#49

Fix proposed to branch: stable/train
Review: https://review.opendev.org/688715

OpenStack Infra (hudson-openstack) wrote on 2019-10-15: Fix proposed to neutron (stable/stein)

#50

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/688716

OpenStack Infra (hudson-openstack) wrote on 2019-10-15: Fix proposed to neutron (stable/rocky)

#51

Fix proposed to branch: stable/rocky
Review: https://review.opendev.org/688717

OpenStack Infra (hudson-openstack) wrote on 2019-10-15: Fix proposed to neutron (stable/queens)

#52

Fix proposed to branch: stable/queens
Review: https://review.opendev.org/688719

Slawek Kaplonski (slaweq) wrote on 2019-12-04: auto-abandon-script

#53

This bug has had a related patch abandoned and has been automatically un-assigned due to inactivity. Please re-assign yourself if you are continuing work or adjust the state as appropriate if it is no longer valid.

Changed in neutron:
assignee:	Slawek Kaplonski (slaweq) → nobody
tags:	added: timeout-abandon

OpenStack Infra (hudson-openstack) wrote on 2019-12-04: Change abandoned on neutron (stable/rocky)

#55

Change abandoned by Slawek Kaplonski (<email address hidden>) on branch: stable/rocky
Review: https://review.opendev.org/688717
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Slawek Kaplonski (slaweq) wrote on 2019-12-04: auto-abandon-script

#56

OpenStack Infra (hudson-openstack) wrote on 2019-12-04: Change abandoned on neutron (stable/queens)

#57

Change abandoned by Slawek Kaplonski (<email address hidden>) on branch: stable/queens
Review: https://review.opendev.org/688719
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

OpenStack Infra (hudson-openstack) wrote on 2019-12-04: Change abandoned on neutron-tempest-plugin (master)

#58

Change abandoned by Slawek Kaplonski (<email address hidden>) on branch: master
Review: https://review.opendev.org/681912
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

OpenStack Infra (hudson-openstack) wrote on 2019-12-12: Fix merged to neutron (master)

#59

Reviewed: https://review.opendev.org/681910
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=b898d2e3c08b50e576ee849fbe8614c66f360c62
Submitter: Zuul
Branch: master

commit b898d2e3c08b50e576ee849fbe8614c66f360c62
Author: Slawek Kaplonski <email address hidden>
Date: Thu Sep 12 22:02:52 2019 +0200

List SG rules which belongs to tenant's SG

    In case when user's security group contains rules created e.g.
    by admin, and such rules has got admin's tenant as tenant_id,
    owner of security group should be able to see those rules.
    Some time ago this was addressed for request:

GET /v2.0/security-groups/<sec_group_id>

But it is also required to behave in same way for

GET /v2.0/security-group-rules

    So this patch fixes this behaviour for listing of security
    group rules.
    To achieve that this patch also adds new policy rule:
    ADMIN_OWNER_OR_SG_OWNER which is similar to already existing
    ADMIN_OWNER_OR_NETWORK_OWNER used e.g. for listing or creating
    ports.

Change-Id: I09114712582d2d38d14cf1683b87a8ce3a8e8c3c
Closes-Bug: #1824248

OpenStack Infra (hudson-openstack) wrote on 2019-12-20: Fix merged to neutron (stable/train)

#60

Reviewed: https://review.opendev.org/688715
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=a6b55d760bee4ea228a466cd45193f77eae53978
Submitter: Zuul
Branch: stable/train

commit a6b55d760bee4ea228a466cd45193f77eae53978
Author: Slawek Kaplonski <email address hidden>
Date: Thu Sep 12 22:02:52 2019 +0200

List SG rules which belongs to tenant's SG

GET /v2.0/security-groups/<sec_group_id>

But it is also required to behave in same way for

GET /v2.0/security-group-rules

Change-Id: I09114712582d2d38d14cf1683b87a8ce3a8e8c3c
Closes-Bug: #1824248

tags:

added: in-stable-train

OpenStack Infra (hudson-openstack) wrote on 2020-01-30: Fix merged to neutron (stable/stein)

#61

Reviewed: https://review.opendev.org/688716
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=47890e9b85826951387fedb57ab474bd20ab1c3b
Submitter: Zuul
Branch: stable/stein

commit 47890e9b85826951387fedb57ab474bd20ab1c3b
Author: Slawek Kaplonski <email address hidden>
Date: Thu Sep 12 22:02:52 2019 +0200

List SG rules which belongs to tenant's SG

GET /v2.0/security-groups/<sec_group_id>

But it is also required to behave in same way for

GET /v2.0/security-group-rules

    Change-Id: I09114712582d2d38d14cf1683b87a8ce3a8e8c3c
    Closes-Bug: #1824248
    (cherry picked from commit b898d2e3c08b50e576ee849fbe8614c66f360c62)

Sam Morrison (sorrison) wrote on 2020-02-18:

#62

Just a heads up that this causes a huge performance regression see lp:1863201

OpenStack Infra (hudson-openstack) wrote on 2020-02-18: Fix merged to neutron (stable/rocky)

#63

Reviewed: https://review.opendev.org/688717
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=993a344559f293a225fe5dd59525e580249c652f
Submitter: Zuul
Branch: stable/rocky

commit 993a344559f293a225fe5dd59525e580249c652f
Author: Slawek Kaplonski <email address hidden>
Date: Thu Sep 12 22:02:52 2019 +0200

List SG rules which belongs to tenant's SG

GET /v2.0/security-groups/<sec_group_id>

But it is also required to behave in same way for

GET /v2.0/security-group-rules

Conflicts:
neutron/conf/policies/security_group.py

    Change-Id: I09114712582d2d38d14cf1683b87a8ce3a8e8c3c
    Closes-Bug: #1824248
    (cherry picked from commit b898d2e3c08b50e576ee849fbe8614c66f360c62)

OpenStack Infra (hudson-openstack) wrote on 2020-02-18: Fix included in openstack/neutron 15.0.2

#64

This issue was fixed in the openstack/neutron 15.0.2 release.

OpenStack Infra (hudson-openstack) wrote on 2020-02-18: Fix included in openstack/neutron 14.1.0

#65

This issue was fixed in the openstack/neutron 14.1.0 release.

OpenStack Infra (hudson-openstack) wrote on 2020-02-19: Fix merged to neutron (stable/queens)

#66

Reviewed: https://review.opendev.org/688719
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=e00ebee05318edbd18f49df0fd34697d0e1417ed
Submitter: Zuul
Branch: stable/queens

commit e00ebee05318edbd18f49df0fd34697d0e1417ed
Author: Slawek Kaplonski <email address hidden>
Date: Thu Sep 12 22:02:52 2019 +0200

List SG rules which belongs to tenant's SG

GET /v2.0/security-groups/<sec_group_id>

But it is also required to behave in same way for

GET /v2.0/security-group-rules

    Conflicts:
        etc/policy.json
        neutron/policy.py

    Change-Id: I09114712582d2d38d14cf1683b87a8ce3a8e8c3c
    Closes-Bug: #1824248
    (cherry picked from commit b898d2e3c08b50e576ee849fbe8614c66f360c62)
    (cherry picked from commit 36d1086569627af5dafd734333a7ebc4bc060d77)

OpenStack Infra (hudson-openstack) wrote on 2020-02-21: Fix included in openstack/neutron 16.0.0.0b1

#67

This issue was fixed in the openstack/neutron 16.0.0.0b1 development milestone.

OpenStack Infra (hudson-openstack) wrote on 2020-02-28: Related fix merged to neutron-tempest-plugin (master)

#68

Reviewed: https://review.opendev.org/681912
Committed: https://git.openstack.org/cgit/openstack/neutron-tempest-plugin/commit/?id=31c0006ded28255e2502d2975648f1fe603ec127
Submitter: Zuul
Branch: master

commit 31c0006ded28255e2502d2975648f1fe603ec127
Author: Slawek Kaplonski <email address hidden>
Date: Thu Sep 12 22:11:35 2019 +0200

Add list security group rules API test

This test checks that regular user can see all SG rules which belongs
to his tenant OR belongs to security group owned by his tenant.

This test also ensures that SG rules from different tenants and Security
Groups are not visible for regular user.

Fix for master branch
Depends-On: https://review.opendev.org/681910

Fix for stable/train
Depends-On: https://review.opendev.org/688715

Fix for stable/stein
Depends-On: https://review.opendev.org/688716

Fix for stable/rocky
Depends-On: https://review.opendev.org/688717

Fix for stable/queens
Depends-On: https://review.opendev.org/688719

Change-Id: Ic2e97ab8162d10e507ef83b9af0840e7311f0587
Related-Bug: #1824248

OpenStack Infra (hudson-openstack) wrote on 2020-02-28: Fix included in openstack/neutron 13.0.7

#69

This issue was fixed in the openstack/neutron 13.0.7 release.

Slawek Kaplonski (slaweq) on 2020-09-25

tags:

removed: neutron-proactive-backport-potential

OpenStack Security Advisory

Security Group filtering hides rules from user

Bug Description

Other bug subscribers