Comment 2 for bug 1824442

Revision history for this message
Goutham Pacha Ravi (gouthamr) wrote :

The two privileged fields are "network_type" and "segmentation_id". These fields are protected by neutron policy [1] and they default to keystone user role with 'rule:admin_only'. I am unsure if this information can be used to exploit OpenStack services or users' data.

A user who has been denied access to this information by the cloud administrator (by virtue of policy) can use the share networks API to designate a neutron network as a manila share network, and gather the hidden details of the neutron share network; thereby working around the security cover of the Neutron API.