[openstack-dev] [neutron] No concept for user "owner" of a neutron port... security issue?

Paul Ward wpward at linux.vnet.ibm.com
Fri Mar 13 18:48:38 UTC 2015

 From what I can tell, neutron ports do not have the concept of an 
"owner" that is a user.  They have "device_owner", which seems to be 
more for things like assigning to a router.

The reason I bring this up is because there seems to be no way to 
restrict the update/delete of a port to only the owner of the nova 
server it's attached to.  You can set the policy file to enforce 
tenant_id, but that would still allow any user in a tenant to delete any 
OTHER user's neutron port in that same tenant.

This actually seems like a security problem to me.  But given it deals 
with a core neutron object, maybe the best way to approach it is with a 
blueprint in Liberty rather than a bug...


More information about the OpenStack-dev mailing list