Add implementation note for networking rbac restriction

kgube · fkr · commit 751a4e7b37ca · 2025-03-25T08:00:25.000+01:00
Signed-off-by: Konrad Gube &lt;konrad.gube@cloudandheat.com&gt;
diff --git a/Standards/scs-xxxx-v1-provider-network-standard.md b/Standards/scs-xxxx-v1-provider-network-standard.md
@@ -236,7 +236,7 @@ If such a subnet pool is provided, it **MUST** have the `is_default` flag set to
 ### RBAC Restrictions
 
 By default, users **SHOULD** be prohibited by policy from creating Networking RBAC rules, to prevent the creation of faux provider networks.
-The necessary policy change to implement this restriction for the Neutron API can be found in the Networking RBAC documentation [^rbac].
+The necessary policy change is described in the implementation notes to this standard.
 
 ## Conformance Tests
 
@@ -250,4 +250,3 @@ The necessary policy change to implement this restriction for the Neutron API ca
 [^pf]: <https://docs.openstack.org/api-ref/network/v2/index.html#floating-ips-port-forwarding>
 [^ds]: <https://docs.openstack.org/neutron/2024.1/admin/config-ipv6.html>
 [^aa]: <https://docs.openstack.org/neutron/2024.1/admin/config-auto-allocation.html>
-[^rbac]: <https://docs.openstack.org/neutron/2024.1/admin/config-rbac.html#preventing-regular-users-from-sharing-objects-with-each-other>
diff --git a/Standards/scs-xxxx-w1-provider-network-standard-implementation.md b/Standards/scs-xxxx-w1-provider-network-standard-implementation.md
@@ -0,0 +1,20 @@
+---
+title: "Provider Network Standard: Implementation Notes"
+type: Supplement
+track: IaaS
+status: Proposal
+supplements:
+  - scs-xxxx-v1-provider-network-standard.md
+---
+
+### Policy adjustment for restricting Networking RBAC
+
+Per default, OpenStack's Networking API allows all user, regardless of role to change the accessibility of networking resources (e.g. networks, routers, security groups) to other projects.
+Such shared resources are, without knowledge of the respective project IDs, indistinguishable from resources shared by the CSP, allowing malicious users to present networking resources to other client as coming from the provider.
+The Provider Network Standard states that CSPs SHOULD restrict this functionality to administrators, which requires the following change to the `policy.yaml` file of the Neutron API[^rbac]:
+
+```yaml
+"create_rbac_policy": "rule:admin_only"
+```
+
+[^rbac]: <https://docs.openstack.org/neutron/2024.1/admin/config-rbac.html#preventing-regular-users-from-sharing-objects-with-each-other>
