Public bug reported:
Even though the default policy.json restrict the creation of external
networks to admin_only, any user can update a network as external.
I could verify this with the following test (PseudoPython):
project: ProjectA
user: ProjectMemberA has Member role on project ProjectA.
with network(name="UpdateNetworkExternalRouter", tenant_id=ProjectA,
router_external=False) as test_network:
self.project_member_a_neutron_client.update_network(network=test_network,
router_external=True)
project_member_a_neutron_client encapsulates a python-neutronclient, and
here it is what the method does.
def update_network(self, network, name=None, shared=None,
router_external=None):
body = {
'network': {
}
}
if name is not None:
body['network']['name'] = name
if shared is not None:
body['network']['shared'] = shared
if router_external is not None:
body['network']['router:external'] = router_external
self.python_neutronclient.update_network(network=network.id,
body=body)['network']
The expected behaviour is that the operation should not be allowed, but the
user without admin privileges is able to perform such change.
Trying to add an "update_network:router:external": "rule:admin_only"
policy did not work and broke other operations a regular user should be
able to do.
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1338880
Title:
Any user can set a network as external
Status in OpenStack Neutron (virtual network service):
New
Bug description:
Even though the default policy.json restrict the creation of external
networks to admin_only, any user can update a network as external.
I could verify this with the following test (PseudoPython):
project: ProjectA
user: ProjectMemberA has Member role on project ProjectA.
with network(name="UpdateNetworkExternalRouter", tenant_id=ProjectA,
router_external=False) as test_network:
self.project_member_a_neutron_client.update_network(network=test_network,
router_external=True)
project_member_a_neutron_client encapsulates a python-neutronclient,
and here it is what the method does.
def update_network(self, network, name=None, shared=None,
router_external=None):
body = {
'network': {
}
}
if name is not None:
body['network']['name'] = name
if shared is not None:
body['network']['shared'] = shared
if router_external is not None:
body['network']['router:external'] = router_external
self.python_neutronclient.update_network(network=network.id,
body=body)['network']
The expected behaviour is that the operation should not be allowed, but the
user without admin privileges is able to perform such change.
Trying to add an "update_network:router:external": "rule:admin_only"
policy did not work and broke other operations a regular user should
be able to do.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1338880/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
