When creating share networks from neutron networks, a non-privileged project user can gather privileged neutron network information from the share networks API.
Neutron network:
(demo@overcloud) [stack@undercloud-0 ~]$ neutron net-show demo-net
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+-------------------------+--------------------------------------+
| Field | Value |
+-------------------------+--------------------------------------+
| admin_state_up | True |
| availability_zone_hints | |
| availability_zones | nova |
| created_at | 2019-04-11T19:33:11Z |
| description | |
| id | 1e83e04c-fb5a-4985-b1a1-eb2044c447c5 |
| ipv4_address_scope | |
| ipv6_address_scope | |
| l2_adjacency | True |
| mtu | 1500 |
| name | demo-net |
| port_security_enabled | True |
| project_id | 65bbd70550c44bd08e1e37691e5d5c41 |
| qos_policy_id | |
| revision_number | 3 |
| router:external | False |
| shared | False |
| status | ACTIVE |
| subnets | 4a46720e-c889-417b-b27d-1568473a537d |
| tags | |
| tenant_id | 65bbd70550c44bd08e1e37691e5d5c41 |
| updated_at | 2019-04-11T19:33:43Z |
+-------------------------+--------------------------------------+
(demo@overcloud) [stack@undercloud-0 ~]$ neutron subnet-show demo-subnet
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+-------------------+--------------------------------------------------+
| Field | Value |
+-------------------+--------------------------------------------------+
| allocation_pools | {"start": "172.20.0.2", "end": "172.20.255.254"} |
| cidr | 172.20.0.0/16 |
| created_at | 2019-04-11T19:33:43Z |
| description | |
| dns_nameservers | 10.0.0.1 |
| enable_dhcp | True |
| gateway_ip | 172.20.0.1 |
| host_routes | |
| id | 4a46720e-c889-417b-b27d-1568473a537d |
| ip_version | 4 |
| ipv6_address_mode | |
| ipv6_ra_mode | |
| name | demo-subnet |
| network_id | 1e83e04c-fb5a-4985-b1a1-eb2044c447c5 |
| project_id | 65bbd70550c44bd08e1e37691e5d5c41 |
| revision_number | 0 |
| service_types | |
| subnetpool_id | |
| tags | |
| tenant_id | 65bbd70550c44bd08e1e37691e5d5c41 |
| updated_at | 2019-04-11T19:33:43Z |
+-------------------+--------------------------------------------------+
Manila share network:
(demo@overcloud) [stack@undercloud-0 ~]$ manila share-network-show demo-sharenet
+-------------------+--------------------------------------+
| Property | Value |
+-------------------+--------------------------------------+
| network_type | vlan |
| name | demo-sharenet |
| segmentation_id | 1085 |
| created_at | 2019-04-11T19:37:07.000000 |
| neutron_subnet_id | 4a46720e-c889-417b-b27d-1568473a537d |
| updated_at | 2019-04-11T19:41:51.000000 |
| mtu | 1500 |
| gateway | 172.20.0.1 |
| neutron_net_id | 1e83e04c-fb5a-4985-b1a1-eb2044c447c5 |
| ip_version | 4 |
| cidr | 172.20.0.0/16 |
| project_id | 65bbd70550c44bd08e1e37691e5d5c41 |
| id | 7242d33b-53dc-4718-ba82-821ae68c4c9f |
| description | None |
+-------------------+--------------------------------------+
So I can better understand the risks implicated in this report, can you explain the circumstances under which someone might create a "non-privileged project user" and which parts of the "share networks API" output are sensitive? Also what might such a user be able to do once obtaining this data?