[Openstack-security] [Nova] RBAC policy not enforced when adding a security group rule using EC2 API?
Bryan D. Payne
bdpayne at acm.org
Mon Mar 3 18:45:43 UTC 2014
Marc,
This sounds like a Nova bug. Have you filed a bug with the Nova project
for this? That is probably the best way to get this in front of the right
eyes.
https://bugs.launchpad.net/nova/+bugs
Cheers,
-bryan
On Mon, Mar 3, 2014 at 8:35 AM, Marc Heckmann <marc.w.heckmann at gmail.com>wrote:
> Hi,
>
> I sent this to the general list last week, but it hasn't seemed to get
> any traction there, so I'm trying here. Sorry for the cross posting.
>
> It seems that when using the EC2 API, the security group
> implementation does not enforce RBAC policy for the add_rules,
> remove_rules, destroy and other functions (in compute/api.py). Only
> the add_to_instance and remove_from_instance functions enforce RBAC.
> This seems like an oversight for obvious reasons.
>
> The Nova API security group implementation does enforce RBAC on these
> functions.
>
> Does anyone know why?
>
> Thanks in advance.
>
> -m
>
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140303/2a422932/attachment.html>
More information about the Openstack-security
mailing list