[openstack-dev] [neutron] No concept for user "owner" of a neutron port... security issue?
Paul Ward
wpward at linux.vnet.ibm.com
Fri Mar 13 18:48:38 UTC 2015
From what I can tell, neutron ports do not have the concept of an
"owner" that is a user. They have "device_owner", which seems to be
more for things like assigning to a router.
The reason I bring this up is because there seems to be no way to
restrict the update/delete of a port to only the owner of the nova
server it's attached to. You can set the policy file to enforce
tenant_id, but that would still allow any user in a tenant to delete any
OTHER user's neutron port in that same tenant.
This actually seems like a security problem to me. But given it deals
with a core neutron object, maybe the best way to approach it is with a
blueprint in Liberty rather than a bug...
Thoughts?
More information about the OpenStack-dev
mailing list