Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1747269

Summary: Non-admin user can assign fixed vip address from external network
Product: Red Hat OpenStack Reporter: Takashi Kajinami <tkajinam>
Component: openstack-neutron-lbaasAssignee: Brian Haley <bhaley>
Status: CLOSED WONTFIX QA Contact: Bruna Bonguardo <bbonguar>
Severity: medium Docs Contact:
Priority: low    
Version: 13.0 (Queens)CC: amuller, apevec, bhaley, cgoncalves, gthiemon, lhh, michjohn, scohen
Target Milestone: z9Keywords: Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-11 09:45:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1751329    
Bug Blocks:    

Description Takashi Kajinami 2019-08-30 02:58:08 UTC 
Description of problem:

In LbaaSv2 API, we have vip_address parameter in create loadbalancer API[1].
 [1] https://docs.openstack.org/api-ref/network/v2/#create-a-load-balancer

Using this parameter, user can specify the ip used for vip of their load balancer
instead of getting ip automatically from allocation pool.

The problem is that there are no mechanism about passing this vip_address.

When non-admin user creates a load balancer, they can specify external network
as the network where their LB is listening on, as it is shared and visible,
and also with specifying any address as their vip, which can cause the ip outside
allocation pool can be used.

This causes a very big impact from security point of view, as we do not
expect users to assign a fixed ip in external network instead of getting
it from the range defined by admin

How reproducible:
Always

Steps to Reproduce:
1. Create an external network/subnet by admin, with shared=True
2. Create a load balancer with 
    vip_subnet_id: <external_subnet_id>
    vip_address: <ip_outside_allocation_range>

Actual results:
User can specify fixed vip from external network

Expected results:
User can't specify fixed ip with authorization error.
Comment 3 Michael Johnson 2019-09-04 17:48:38 UTC 
I have looked into this issue. VIP allocation is controlled by the neutron service which in general will allow the user to allocate an un-used IP address on any subnet the user has access to. Looking at the neutron code, it is by design that a user can request an IP address outside of the subnet allocation pool. See this comment in the neutron code: https://opendev.org/openstack/neutron/src/branch/master/neutron/ipam/requests.py#L50