yahoo-eng-team team mailing list archive

[Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>]

** Changed in: neutron
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1221315

Title:
  _validate_network_tenant_ownership must be less strict

Status in OpenStack Neutron (virtual network service):
  Fix Released

Bug description:
  Neutron, currently does a strict validation code in https://github.com/openstack/neutron/blob/master/neutron/api/v2/base.py#L618
  so that for non-shared network the subnets and ports must belong to the same tenant as the network. In the case of a “service VM” created by an admin user, this function should return thus allowing admin users to create ports and networks in a tenant network.

  Original code:
  https://github.com/openstack/neutron/blob/master/neutron/api/v2/base.py#L604

  Proposed Fix:

      def _validate_network_tenant_ownership(self, request, resource_item):
          # TODO(salvatore-orlando): consider whether this check can be folded
          # in the policy engine
          if self._resource not in ('port', 'subnet') or request.context.is_admin:
              return
          network = self._plugin.get_network(
              request.context,
              resource_item['network_id'])
          # do not perform the check on shared networks
          if network.get('shared'):
              return

          network_owner = network['tenant_id']

          if network_owner != resource_item['tenant_id']:
              msg = _("Tenant %(tenant_id)s not allowed to "
                      "create %(resource)s on this network")
              raise webob.exc.HTTPForbidden(msg % {
                  "tenant_id": resource_item['tenant_id'],
                  "resource": self._resource,
              })

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1221315/+subscriptions