** Changed in: nova/havana
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1290537
Title:
[0SSA 2014-011] RBAC policy not enforced when adding a security group
rule using EC2 API (CVE-2014-0167)
Status in OpenStack Compute (Nova):
Fix Released
Status in OpenStack Compute (nova) havana series:
Fix Released
Status in OpenStack Security Advisories:
Fix Released
Bug description:
It seems that when using the EC2 API, the security group implementation does
not enforce RBAC policy for the add_rules, remove_rules, destroy and other
functions (in compute/api.py). Only the add_to_instance and
remove_from_instance functions enforce RBAC. This seems like an oversight for
obvious reasons.
The Nova API security group implementation does enforce RBAC on these
functions.
In addition, the add_to_instance and remove_from _instance functions
which are wrapped in RBAC verification use the
"compute:security_groups" action which is not even listed in the
default /etc/nova/policy.json. The latter is confusing to users.
This is the case on Grizlly and at first glance, it doesn't look like
this has changed in Havana.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1290537/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
