review.fuel-infra Code Review - openstack-build/neutron-build.git/commit

author	Kevin Benton <blak111@gmail.com>
	Wed, 26 Aug 2015 05:03:27 +0000 (22:03 -0700)
committer	Tristan Cacqueray <tdecacqu@redhat.com>
	Tue, 8 Sep 2015 15:00:13 +0000 (15:00 +0000)
commit	bbca973986fdc99eae9d1b2545e8246c0b2be2e2
tree	02e16dcd539d7e7e941eda8c74e1cd0ad208195e	tree \| snapshot
parent	dbe420c2b79f0df07f607d847f2f94c1cecc4eba	commit \| diff

Stop device_owner from being set to 'network:*'

This patch adjusts the FieldCheck class in the policy engine to
allow a regex rule. It then leverages that to prevent users from
setting the device_owner field to anything that starts with
'network:' on networks which they do not own.

This policy adjustment is necessary because any ports with a
device_owner that starts with 'network:' will not have any security
group rules applied because it is assumed they are trusted network
devices (e.g. router ports, DHCP ports, etc). These security rules
include the anti-spoofing protection for DHCP, IPv6 ICMP messages,
and IP headers.

Without this policy adjustment, tenants can abuse this trust when
connected to a shared network with other tenants by setting their
VM port's device_owner field to 'network:<anything>' and hijack other
tenants' traffic via DHCP spoofing or MAC/IP spoofing.

Closes-Bug: #1489111
Change-Id: Ia64cf16142e0e4be44b5b0ed72c8e00792d770f9

etc/policy.json		diff \| blob \| history
neutron/api/v2/attributes.py		diff \| blob \| history
neutron/policy.py		diff \| blob \| history
neutron/tests/etc/policy.json		diff \| blob \| history
neutron/tests/unit/test_policy.py		diff \| blob \| history