diff --git a/Standards/scs-xxxx-v1-provider-network-standard.md b/Standards/scs-xxxx-v1-provider-network-standard.md index 327c4aebb..880eb45b1 100644 --- a/Standards/scs-xxxx-v1-provider-network-standard.md +++ b/Standards/scs-xxxx-v1-provider-network-standard.md @@ -236,7 +236,7 @@ If such a subnet pool is provided, it **MUST** have the `is_default` flag set to ### RBAC Restrictions By default, users **SHOULD** be prohibited by policy from creating Networking RBAC rules, to prevent the creation of faux provider networks. -The necessary policy change to implement this restriction for the Neutron API can be found in the Networking RBAC documentation [^rbac]. +The necessary policy change is described in the implementation notes to this standard. ## Conformance Tests @@ -250,4 +250,3 @@ The necessary policy change to implement this restriction for the Neutron API ca [^pf]: [^ds]: [^aa]: -[^rbac]: diff --git a/Standards/scs-xxxx-w1-provider-network-standard-implementation.md b/Standards/scs-xxxx-w1-provider-network-standard-implementation.md new file mode 100644 index 000000000..24269ce0c --- /dev/null +++ b/Standards/scs-xxxx-w1-provider-network-standard-implementation.md @@ -0,0 +1,21 @@ +--- +title: "Provider Network Standard: Implementation Notes" +type: Supplement +track: IaaS +status: Proposal +supplements: + - scs-xxxx-v1-provider-network-standard.md +--- + +### Policy adjustment for restricting Networking RBAC + +Per default, OpenStack's Networking API allows all user, regardless of role to change the accessibility of networking resources (e.g. networks, routers, security groups) to other projects. +Such shared resources are, without knowledge of the respective project IDs, indistinguishable from resources shared by the CSP, allowing malicious users to present networking resources to other client as coming from the provider. +The Provider Network Standard states that CSPs SHOULD restrict this functionality to administrators, which requires the following change to the `policy.yaml` file of the Neutron API[^rbac]: + +```yaml +"create_rbac_policy": "rule:admin_only" +``` + +[^rbac]: +