[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Openstack-security] [Nova] RBAC policy not enforced when adding a security group rule using EC2 API?


I sent this to the general list last week, but it hasn't seemed to get
any traction there, so I'm trying here. Sorry for the cross posting.

It seems that when using the EC2 API, the security group
implementation does not enforce RBAC policy for the add_rules,
remove_rules, destroy and other functions (in compute/api.py). Only
the add_to_instance and remove_from_instance functions enforce RBAC.
This seems like an oversight for obvious reasons.

The Nova API security group implementation does enforce RBAC on these functions.

Does anyone know why?

Thanks in advance.