Assuming the default case of deny all in a security group, the attack scenario would be to use add_rules to add rules to an instance.
Now, the problem with this bug is that users may get into a situation where there is a false sense of security.
For example, as a private-cloud operator, I want to restrict all Nova actions to users with the "Member" role on the tenant. Once that is done, I want to create a new role that allows only for read-only access to security group and instance information for auditing purposes. I can achieve this by editing the rule for the "compute_extension:security_groups" action in /etc/nova/policy.json. This will do what I want for the Nova API. The problem is that the EC2 API is left vulnerable and a user that does not have the Member role but only the read-only role can now add or delete rules from a security group.
I hope that helps to clarify things. Of course, this bug only affects users who are trying to create tighter access controls. The default configuration is not affected by this bug since it grants any role on a project/tenant full access.
Assuming the default case of deny all in a security group, the attack scenario would be to use add_rules to add rules to an instance.
Now, the problem with this bug is that users may get into a situation where there is a false sense of security.
For example, as a private-cloud operator, I want to restrict all Nova actions to users with the "Member" role on the tenant. Once that is done, I want to create a new role that allows only for read-only access to security group and instance information for auditing purposes. I can achieve this by editing the rule for the "compute_ extension: security_ groups" action in /etc/nova/ policy. json. This will do what I want for the Nova API. The problem is that the EC2 API is left vulnerable and a user that does not have the Member role but only the read-only role can now add or delete rules from a security group.
I hope that helps to clarify things. Of course, this bug only affects users who are trying to create tighter access controls. The default configuration is not affected by this bug since it grants any role on a project/tenant full access.