Upstream bug description: When a non-admin user tries to list security groups for project_id "None", Neutron creates a default security group for that project and returns an empty list to the caller. To reproduce: openstack --os-cloud devstack security group list --project None openstack --os-cloud devstack-admin security group list The API call that is made is essentially GET /networking/v2.0/security-groups?project_id=None The expected result would be an authorization failure, since normal users should not be allowed to list security groups for other projects.
Created openstack-neutron tracking bugs for this issue: Affects: openstack-rdo [bug 2129211]
Hello: Since [1], the OSC client checks the project ID before executing a command when listing the security groups. This patch is in the code since U/S version Queens (OSP13). This check has been replicated to other Network commands too. This is the output when the related command is executed (using a OSP16.2 deployment): $ openstack security group list --project None No project with a name or ID of 'None' exists. When an admin user calls the CLI script checks the existence of the project "None" before sending the command to the Neutron server. If the project does not exists, the CLI returns this error message. If the user is a regular user and the project does not exist or can't be seen from this user, the CLI does not return anything (to avoid providing information to a unauthorized user): $ openstack security group list --project <non_existing_project> (empty line) $ openstack security group list --project <admin_project> (empty line) Can you check when this is happening and what version are you using? Regards. [1]https://review.opendev.org/c/openstack/python-openstackclient/+/355405
This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2022:8855 https://access.redhat.com/errata/RHSA-2022:8855
This issue has been addressed in the following products: Red Hat OpenStack Platform 16.1 Via RHSA-2022:8870 https://access.redhat.com/errata/RHSA-2022:8870
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-3277
This issue has been addressed in the following products: Red Hat OpenStack Platform 17.0 Via RHSA-2023:0275 https://access.redhat.com/errata/RHSA-2023:0275