neutron

check foreign key ownership for port/subnet creation

Bug #1014989 reported by dan wendlandt
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
Juliano Martinez
neutron 2012.2 "folsom"

Bug Description

In F-2, Quantum got a basic authz implementation that is equivalent to what nova has. this enforces that an entity is only updated by the tenant that created it, or by an admin tenant.

However, for quantum, we actually need something more: specifically, we need to make sure that a subnet or port can only be associated with a network that is owned by the same tenant (at least in the simple use case. there are advanced use cases where a provider will want to be able to allow tenants to create ports on a network owned by the provider).

Kevin Mitchell said that the likely best way to do this would be to extend the "brain" concept in the existing policy checking code. See comments within the review for the base authz code: https://review.openstack.org/8500

Revision history for this message
dan wendlandt (danwent) wrote :

Note: this is required for a secure implementation of quantum API that is exposed to tenants. Hence, I am targeting F-2 so it stays high on the radar, though in practice F-2 won't be production complete, so this may not be done by then.

Changed in quantum:
importance: Undecided → High
status: New → Confirmed
milestone: none → folsom-2
Juliano Martinez (ncode)
Changed in quantum:
assignee: nobody → Juliano Martinez (ncode)
Gary Kotton (garyk)
Changed in quantum:
status: Confirmed → Fix Committed
status: Fix Committed → Confirmed
Revision history for this message
Salvatore Orlando (salvatore-orlando) wrote :

Juliano,
do you reckon we are still on track for fixing this bug in F-2?

Revision history for this message
Juliano Martinez (ncode) wrote :

Salvatore,

I was sending an email about it :D. I planned to start work on it next week and I would feel more comfortable targeting on F-3, but if is a blocking issue I give it focus now.

Revision history for this message
dan wendlandt (danwent) wrote :

This may be a pretty simple change, even one that could be cherry-picked into the milestone-proposed branch after tuesday if need be. I'm ok with this staying targeted to F-2 for another day or two if Juliano thinks he will be able to get to it soon (his work was held up by an email I took a while to respond to... sorry!)

Revision history for this message
Juliano Martinez (ncode) wrote :

Dan, I'm working on it today. No worries, maybe tomorrow or later wednesday we have a patch.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to quantum (master)

Fix proposed to branch: master
Review: https://review.openstack.org/9264

Changed in quantum:
status: Confirmed → In Progress
dan wendlandt (danwent)
Changed in quantum:
milestone: folsom-2 → folsom-3
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to quantum (master)

Reviewed: https://review.openstack.org/9264
Committed: http://github.com/openstack/quantum/commit/13070251129155ba4eb435f0af3d61418e9775e2
Submitter: Jenkins
Branch: master

commit 13070251129155ba4eb435f0af3d61418e9775e2
Author: Juliano Martinez <email address hidden>
Date: Wed Jul 4 23:32:59 2012 -0300

    Validate that network_id in port/subnet POST belong to the same tenant

    Bug 1014989

    Change-Id: I17b619c502afb35fe0829e41a7d0f997d60998fa

Changed in quantum:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in quantum:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in quantum:
milestone: folsom-3 → 2012.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.