[openstack-dev] [neutron] No concept for user "owner" of a neutron port... security issue?

Kevin Benton blak111 at gmail.com
Fri Mar 13 20:40:53 UTC 2015

Things in Neutron are restricted at the tenant level. Nothing pays
attention to the user ID (other than maybe a custom policy.json entry). If
you have two users that aren't trusted together, they shouldn't be in the
same tenant.

If we want to change that model, it will definitely require a blueprint
because it would need to be changed for everything rather than just ports.

On Fri, Mar 13, 2015 at 11:48 AM, Paul Ward <wpward at linux.vnet.ibm.com>

> From what I can tell, neutron ports do not have the concept of an "owner"
> that is a user.  They have "device_owner", which seems to be more for
> things like assigning to a router.
> The reason I bring this up is because there seems to be no way to restrict
> the update/delete of a port to only the owner of the nova server it's
> attached to.  You can set the policy file to enforce tenant_id, but that
> would still allow any user in a tenant to delete any OTHER user's neutron
> port in that same tenant.
> This actually seems like a security problem to me.  But given it deals
> with a core neutron object, maybe the best way to approach it is with a
> blueprint in Liberty rather than a bug...
> Thoughts?
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Kevin Benton
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150313/646b6b88/attachment.html>

More information about the OpenStack-dev mailing list