Bug 1130288 - Non-admin networks can be updated to shared and/or router:external
Summary: Non-admin networks can be updated to shared and/or router:external
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-neutron
Version: 4.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 5.0 (RHEL 7)
Assignee: lpeer
QA Contact: Ofer Blaut
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-14 19:12 UTC by Cye Stoner
Modified: 2016-04-26 21:24 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-01-15 09:32:32 UTC


Attachments (Terms of Use)

Description Cye Stoner 2014-08-14 19:12:43 UTC
Description of problem:
Non-admin users can create networks, and then update them to shared and/or external.

Version-Release number of selected component (if applicable):
openstack-neutron-2013.2.3-14.el6ost

How reproducible:
See below.

Steps to Reproduce:

$ neutron net-create example-network
Created a new network:
+----------------+--------------------------------------+
| Field          | Value                                |
+----------------+--------------------------------------+
| admin_state_up | True                                 |
| id             | 5f25a8a6-e0f8-4998-a872-5a152c478f8a |
| name           | example-test                         |
| shared         | False                                |
| status         | ACTIVE                               |
| subnets        |                                      |
| tenant_id      | 979307b9e6174d4aa1f750381c5cee88     |
+----------------+--------------------------------------+

$ neutron net-update example-test --router:external=True
Updated network: example-test

$ neutron net-show example-test
+-----------------+--------------------------------------+
| Field           | Value                                |
+-----------------+--------------------------------------+
| admin_state_up  | True                                 |
| id              | 5f25a8a6-e0f8-4998-a872-5a152c478f8a |
| name            | example-test                         |
| router:external | True                                 |
| shared          | False                                |
| status          | ACTIVE                               |
| subnets         |                                      |
| tenant_id       | 979307b9e6174d4aa1f750381c5cee88     |
+-----------------+--------------------------------------+

(The same can be done for --shared=True)

Actual results:
Out of the box, non-admin users can update network in ways that only admin users should be able to.

Expected results:
User should not have been been able to update those fields.

Additional info:
This issue has already been reported and fixed upstream in the stable/havana branch, but has not been packed and backported to OSP4.

The following two lines must be added to policy.json to achieve the intended effect:

    "create_network:shared": "rule:admin_only",
    "create_network:router:external": "rule:admin_only",

Comment 1 Cye Stoner 2014-08-14 19:22:50 UTC
Oops, a couple corrections.

This does not seem to be applied to stable/havana upstream. The fix seems to be in icehouse, however:
https://bugs.launchpad.net/neutron/+bug/1268823 

Also, the needed additions should be:
    "update_network:shared": "rule:admin_only",
    "update_network:router:external": "rule:admin_only",

Comment 3 Nir Yechiel 2014-08-18 09:05:08 UTC
The fix should be included in all Icehouse based RHEL-OSP releases. Which release have you tested against? If you want to target the fix to RHEL-OSP 4 too, please set Target appropriately.

Comment 4 Cye Stoner 2014-08-28 19:15:09 UTC
I have tested it against OSP4.

Comment 5 Nir Yechiel 2014-08-31 08:02:51 UTC
Thanks Cye. Can you share more information about your deploypment? Is it for testing/PoC, etc.? Can you use the Icehouse/OSP-5 bits?

Thanks,
Nir

Comment 6 Cye Stoner 2014-09-02 15:25:45 UTC
This is just an install for our devs to use for QA purposes at the moment.

It isn't great timing to try to piecewise upgrade to Icehouse. We have a release coming up shortly, and I'd prefer to wait until after that to do any major version jumps.

I am hoping to schedule the Icehouse upgrade after the release, but that will likely be more than a week out.

Comment 7 Cye Stoner 2014-09-04 20:54:29 UTC
An update, related to bug id 1135074.

While these policy changes have the intended effect of preventing non-admin users from updating networks to be external/shared networks. It also prevents non-admin users from updating network names.

Comment 8 lpeer 2015-01-15 09:32:32 UTC
The bug is fixed in Ichouse


Note You need to log in before you can comment on or make changes to this bug.