[openstack-dev] [neutron] No concept for user "owner" of a neutron port... security issue?
blak111 at gmail.com
Fri Mar 13 20:40:53 UTC 2015
Things in Neutron are restricted at the tenant level. Nothing pays
attention to the user ID (other than maybe a custom policy.json entry). If
you have two users that aren't trusted together, they shouldn't be in the
If we want to change that model, it will definitely require a blueprint
because it would need to be changed for everything rather than just ports.
On Fri, Mar 13, 2015 at 11:48 AM, Paul Ward <wpward at linux.vnet.ibm.com>
> From what I can tell, neutron ports do not have the concept of an "owner"
> that is a user. They have "device_owner", which seems to be more for
> things like assigning to a router.
> The reason I bring this up is because there seems to be no way to restrict
> the update/delete of a port to only the owner of the nova server it's
> attached to. You can set the policy file to enforce tenant_id, but that
> would still allow any user in a tenant to delete any OTHER user's neutron
> port in that same tenant.
> This actually seems like a security problem to me. But given it deals
> with a core neutron object, maybe the best way to approach it is with a
> blueprint in Liberty rather than a bug...
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev