From fa273983d41438d0fa117ca76ce6a99819ad7f41 Mon Sep 17 00:00:00 2001
From: Konrad Gube <konrad.gube@cloudandheat.com>
Date: Thu, 21 Nov 2024 15:31:26 +0100
Subject: [PATCH] Add implementation note for networking rbac restriction

Signed-off-by: Konrad Gube <konrad.gube@cloudandheat.com>
---
 .../scs-xxxx-v1-provider-network-standard.md  |  3 +--
 ...rovider-network-standard-implementation.md | 21 +++++++++++++++++++
 2 files changed, 22 insertions(+), 2 deletions(-)
 create mode 100644 Standards/scs-xxxx-w1-provider-network-standard-implementation.md

diff --git a/Standards/scs-xxxx-v1-provider-network-standard.md b/Standards/scs-xxxx-v1-provider-network-standard.md
index 327c4aebb..880eb45b1 100644
--- a/Standards/scs-xxxx-v1-provider-network-standard.md
+++ b/Standards/scs-xxxx-v1-provider-network-standard.md
@@ -236,7 +236,7 @@ If such a subnet pool is provided, it **MUST** have the `is_default` flag set to
 ### RBAC Restrictions
 
 By default, users **SHOULD** be prohibited by policy from creating Networking RBAC rules, to prevent the creation of faux provider networks.
-The necessary policy change to implement this restriction for the Neutron API can be found in the Networking RBAC documentation [^rbac].
+The necessary policy change is described in the implementation notes to this standard.
 
 ## Conformance Tests
 
@@ -250,4 +250,3 @@ The necessary policy change to implement this restriction for the Neutron API ca
 [^pf]: <https://docs.openstack.org/api-ref/network/v2/index.html#floating-ips-port-forwarding>
 [^ds]: <https://docs.openstack.org/neutron/2024.1/admin/config-ipv6.html>
 [^aa]: <https://docs.openstack.org/neutron/2024.1/admin/config-auto-allocation.html>
-[^rbac]: <https://docs.openstack.org/neutron/2024.1/admin/config-rbac.html#preventing-regular-users-from-sharing-objects-with-each-other>
diff --git a/Standards/scs-xxxx-w1-provider-network-standard-implementation.md b/Standards/scs-xxxx-w1-provider-network-standard-implementation.md
new file mode 100644
index 000000000..24269ce0c
--- /dev/null
+++ b/Standards/scs-xxxx-w1-provider-network-standard-implementation.md
@@ -0,0 +1,21 @@
+---
+title: "Provider Network Standard: Implementation Notes"
+type: Supplement
+track: IaaS
+status: Proposal
+supplements:
+  - scs-xxxx-v1-provider-network-standard.md
+---
+
+### Policy adjustment for restricting Networking RBAC
+
+Per default, OpenStack's Networking API allows all user, regardless of role to change the accessibility of networking resources (e.g. networks, routers, security groups) to other projects.
+Such shared resources are, without knowledge of the respective project IDs, indistinguishable from resources shared by the CSP, allowing malicious users to present networking resources to other client as coming from the provider.
+The Provider Network Standard states that CSPs SHOULD restrict this functionality to administrators, which requires the following change to the `policy.yaml` file of the Neutron API[^rbac]:
+
+```yaml
+"create_rbac_policy": "rule:admin_only"
+```
+
+[^rbac]: <https://docs.openstack.org/neutron/2024.1/admin/config-rbac.html#preventing-regular-users-from-sharing-objects-with-each-other>
+