Public bug reported: Even though the default policy.json restrict the creation of external networks to admin_only, any user can update a network as external.
I could verify this with the following test (PseudoPython): project: ProjectA user: ProjectMemberA has Member role on project ProjectA. with network(name="UpdateNetworkExternalRouter", tenant_id=ProjectA, router_external=False) as test_network: self.project_member_a_neutron_client.update_network(network=test_network, router_external=True) project_member_a_neutron_client encapsulates a python-neutronclient, and here it is what the method does. def update_network(self, network, name=None, shared=None, router_external=None): body = { 'network': { } } if name is not None: body['network']['name'] = name if shared is not None: body['network']['shared'] = shared if router_external is not None: body['network']['router:external'] = router_external self.python_neutronclient.update_network(network=network.id, body=body)['network'] The expected behaviour is that the operation should not be allowed, but the user without admin privileges is able to perform such change. Trying to add an "update_network:router:external": "rule:admin_only" policy did not work and broke other operations a regular user should be able to do. ** Affects: neutron Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1338880 Title: Any user can set a network as external Status in OpenStack Neutron (virtual network service): New Bug description: Even though the default policy.json restrict the creation of external networks to admin_only, any user can update a network as external. I could verify this with the following test (PseudoPython): project: ProjectA user: ProjectMemberA has Member role on project ProjectA. with network(name="UpdateNetworkExternalRouter", tenant_id=ProjectA, router_external=False) as test_network: self.project_member_a_neutron_client.update_network(network=test_network, router_external=True) project_member_a_neutron_client encapsulates a python-neutronclient, and here it is what the method does. def update_network(self, network, name=None, shared=None, router_external=None): body = { 'network': { } } if name is not None: body['network']['name'] = name if shared is not None: body['network']['shared'] = shared if router_external is not None: body['network']['router:external'] = router_external self.python_neutronclient.update_network(network=network.id, body=body)['network'] The expected behaviour is that the operation should not be allowed, but the user without admin privileges is able to perform such change. Trying to add an "update_network:router:external": "rule:admin_only" policy did not work and broke other operations a regular user should be able to do. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1338880/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp