neutron

Network RBAC acceptance workflow

Bug #1669630 reported by Adrian Turjak
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Triaged
Wishlist
Unassigned

Bug Description

Network RBAC is hugely useful, but the policy is too limited and as such causes some potential security problems. It is either turned on for everyone, or off. No in between, with the only limitation being no wildcards for non-admins.

If you know the project id, you can share a network to that project id. This allows you to name a network 'public' or 'default' and share it to others in hopes of them connecting to it where you then potentially compromise their instances. Effectively this allows honey-pot networks.
The only layer of safely you have is first needing to gleam a project id before you can do this, effectively security through obscurity, which is a terrible approach.

Ideally network RBAC should work the same as image sharing in Glance. You share a network, and the other project must accept it before it becomes usable. This doesn't stop a too trusting party from accepting an unsafe network, but it means they have some warning before doing
anything silly. Otherwise the onus is on them to always be vigilant for shared networks that shouldn't be there, which is not exactly something we want users to have to worry about.

This is particularly bad in a public cloud setting, less so in private cloud.

The proposed fix is to add an acceptance workflow, and a new column on the RBAC models to allow that.

There is no good way to make such a feature backwards compatible. As such the easiest and probably best solution is to setup a config entry that turns on acceptance for Network RBAC, with an initial default of no acceptance workflow. Combine this with a deprecation warning that the default would change to acceptance as default going forward, but would give enough people making use of the no acceptance feature time to set their configs to turn it off.

A further extension would be the addition of an auto-acceptance feature which would be a second config setting (a list of possible conditions) linked to a series of optional checks during Network RBAC creation where if any of them are met, the Network RBAC policy is created without the need for acceptance.

The two default conditions for this should be:
- User has roles in both projects attempted to share between.
- Both projects are in the same project tree.

The first, a role check is a single call to the role assignment API in Keystone. The second is two API calls to project detail with "parents_as_ids=true" for both projects, and comparing if there is a matching ID in the two parent paths that isn't the domain. Both are simple enough and will not add much additional time, but will allow a nicer UX than always requiring acceptance.

Since Neutron has an admin user to be able to validate tokens, using it as well to do these checks shouldn't be much of a stretch.

See original description
Adrian Turjak (adriant-y)
description: updated
Kevin Benton (kevinbenton)
Changed in neutron:
status: New → Triaged
importance: Undecided → Wishlist
Revision history for this message
Ihar Hrachyshka (ihar-hrachyshka) wrote :

A proposal here is to introduce a new API (new resource) for new approvable RBACs, then maintain both options for some time (allowing admins to opt out of the former via policy.json), then dropping the old API after some time (leaving the old api definition in api-ref for out of tree plugins to implement).

A proposal to introduce a new config option is not ideal because it introduces another point of api incompatibility between clouds.

Revision history for this message
Akihiro Motoki (amotoki) wrote :

After checking the glance API model, I start to think a new API sounds appropriate.

I checked the sharing feature of glance API. Glance image sharing is an opt-out model.
The API is described at [0] and the concept.
"member" can take three status "pending", "accepted" and "rejected".
Image with pending status is not visible in the default image list, but they can use the image to boot an instance.
This looks a good balance of opt-in and opt-out.

In our current API of neutron RBAC, shared networks are listed in network list, so even if we adopt the model similar to glance one, the API behavior would be backward incompatible. A new API sounds better to me now.

[0] https://developer.openstack.org/api-ref/image/v2/index.html#sharing
[1] http://specs.openstack.org/openstack/glance-specs/specs/api/v2/sharing-image-api-v2.html#producer-consumer-communication
[2] http://specs.openstack.org/openstack/glance-specs/specs/api/v2/sharing-image-api-v2.html#image-member-status-values

Revision history for this message
Adrian Turjak (adriant-y) wrote :

Given that the RBAC API as is currently in Neutron can be made admin only, a new API which users can then safely use would work for me and our use cases.

Effectively our requirement is:
Users can share networks between their projects.
Users cannot share networks with anyone unless the target project is one they have access to, or the target project must accept it.
The old Network RBAC functionality can be turned off for non-admin users so they must use the acceptance workflow.

A new API would fulfil those requirements.

Revision history for this message
Kevin Benton (kevinbenton) wrote :

@Adrian,

Do you have the bandwidth to help out contributing to this request? I think we have a path forward, but we are a little short on development resources.

I can help you or whoever wants to implement it with pointers to what needs to be changed.

Revision history for this message
Adrian Turjak (adriant-y) wrote :

I don't have the bandwidth right now, but I might be able to fit it in among other work over the next while. Plus this would be a good reason to actually get into the Neutron code base a bit as it isn't one I've dug through before much.

Let's say yes for now, and any direction as to where to start looking would be good. To save me some time, even just some ideas of where in the current code base I should be looking, and where to start about with adding a new API. Chances are I can mostly reuse a large amount of the existing RBAC code, but what I'm curious of is how much of the existing models can be reused.

If possible using the existing models with some minor changes to them so the old API and the new can both use them would be ideal. Then the API itself is simply a different path/workflow to sharing a network. The old uses the old method and goes straight to the shared state, while the new handles the in between stage (pending), and the acceptance step action. Hopefully that is possible, otherwise we may have to duplicate some functionality.

Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

This was discussed during today's drivers meeting [1]. The RFE is a sensible request, though for the complexity of the request involved, a neutron spec is required to outline CLI, API changes etc. For all intents and purposes, this can be marked approved (if ready to be worked ASAP) or postponed if no resources are available.

[1] http://eavesdrop.openstack.org/meetings/neutron_drivers/2017/neutron_drivers.2017-07-06-22.00.log.html

Revision history for this message
Kevin Benton (kevinbenton) wrote :

Marking as postponed until someone has the bandwidth to implement. @Adrian, reach out on IRC when you have some time.

tags: added: rfe-postponed
removed: rfe
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.