yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #16870
[Bug 1337258] [NEW] fwaas: Admin should not be able to share tenant's firewall
Public bug reported:
Admin should not be able to update/create the shared attribute of tenant's firewall. Since if he shared, then it will affect the traffic of other tenants. And also member tenant is not able to update with shared as true however still he is able to update with false hence I am seeing three more issues below.
I have seen this issue in neutron version 2014.2.dev543.g8bdc649
1.Admin able to create firewall with shared option with tenant id
root@overcloud-controller0-eq56cfdcitoq:~# fwc p1 --name f1 --tenant-id 9bc0f43fcefe46ceb1124d714467a788 --shared
Created a new firewall:
+--------------------+--------------------------------------+
| Field | Value |
+--------------------+--------------------------------------+
| admin_state_up | True |
| description | |
| firewall_policy_id | e16342f9-7fd9-45c1-845f-f13f0dffc0dd |
| id | 44a7cf82-8606-45d9-be45-a1f5253ce6f4 |
| name | f1 |
| status | PENDING_CREATE |
| tenant_id | 9bc0f43fcefe46ceb1124d714467a788 |
+--------------------+--------------------------------------+
2. admin is able to update shared attribute for that tenant firewall
root@overcloud-controller0-eq56cfdcitoq:~# fwu f1 --shared true
Updated firewall: f1
root@overcloud-controller0-eq56cfdcitoq:~# fwu f1 --shared false
Updated firewall: f1
root@overcloud-controller0-eq56cfdcitoq:~# fws f1
+--------------------+--------------------------------------+
| Field | Value |
+--------------------+--------------------------------------+
| admin_state_up | True |
| description | |
| firewall_policy_id | e16342f9-7fd9-45c1-845f-f13f0dffc0dd |
| id | 44a7cf82-8606-45d9-be45-a1f5253ce6f4 |
| name | f1 |
| status | ACTIVE |
| tenant_id | 9bc0f43fcefe46ceb1124d714467a788 |
+--------------------+--------------------------------------+
root@overcloud-controller0-eq56cfdcitoq:~# ktl
+----------------------------------+---------+---------+
| id | name | enabled |
+----------------------------------+---------+---------+
| 50b6196e426544638128f4b76ad24938 | admin | True |
| 4ea2a3dff61142a08b231c971c075bdf | service | True |
| 9bc0f43fcefe46ceb1124d714467a788 | tenant1 | True |
| 5db163fb680c4030a406a4ccaa259ce4 | tenant2 | True |
+----------------------------------+---------+---------+
3. From tenant also, he is able to update the firewall with false. ( reference bug: 1323322)
It should throw error like "Unrecognized attribute(s) 'shared'" instead of "resource not found"
root@overcloud-controller0-eq56cfdcitoq:~# fwu f1 --shared true
The resource could not be found.
root@overcloud-controller0-eq56cfdcitoq:~# fwu f1 --shared false
Updated firewall: f1
** Affects: neutron
Importance: Undecided
Status: New
** Tags: fwaas
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1337258
Title:
fwaas: Admin should not be able to share tenant's firewall
Status in OpenStack Neutron (virtual network service):
New
Bug description:
Admin should not be able to update/create the shared attribute of tenant's firewall. Since if he shared, then it will affect the traffic of other tenants. And also member tenant is not able to update with shared as true however still he is able to update with false hence I am seeing three more issues below.
I have seen this issue in neutron version 2014.2.dev543.g8bdc649
1.Admin able to create firewall with shared option with tenant id
root@overcloud-controller0-eq56cfdcitoq:~# fwc p1 --name f1 --tenant-id 9bc0f43fcefe46ceb1124d714467a788 --shared
Created a new firewall:
+--------------------+--------------------------------------+
| Field | Value |
+--------------------+--------------------------------------+
| admin_state_up | True |
| description | |
| firewall_policy_id | e16342f9-7fd9-45c1-845f-f13f0dffc0dd |
| id | 44a7cf82-8606-45d9-be45-a1f5253ce6f4 |
| name | f1 |
| status | PENDING_CREATE |
| tenant_id | 9bc0f43fcefe46ceb1124d714467a788 |
+--------------------+--------------------------------------+
2. admin is able to update shared attribute for that tenant firewall
root@overcloud-controller0-eq56cfdcitoq:~# fwu f1 --shared true
Updated firewall: f1
root@overcloud-controller0-eq56cfdcitoq:~# fwu f1 --shared false
Updated firewall: f1
root@overcloud-controller0-eq56cfdcitoq:~# fws f1
+--------------------+--------------------------------------+
| Field | Value |
+--------------------+--------------------------------------+
| admin_state_up | True |
| description | |
| firewall_policy_id | e16342f9-7fd9-45c1-845f-f13f0dffc0dd |
| id | 44a7cf82-8606-45d9-be45-a1f5253ce6f4 |
| name | f1 |
| status | ACTIVE |
| tenant_id | 9bc0f43fcefe46ceb1124d714467a788 |
+--------------------+--------------------------------------+
root@overcloud-controller0-eq56cfdcitoq:~# ktl
+----------------------------------+---------+---------+
| id | name | enabled |
+----------------------------------+---------+---------+
| 50b6196e426544638128f4b76ad24938 | admin | True |
| 4ea2a3dff61142a08b231c971c075bdf | service | True |
| 9bc0f43fcefe46ceb1124d714467a788 | tenant1 | True |
| 5db163fb680c4030a406a4ccaa259ce4 | tenant2 | True |
+----------------------------------+---------+---------+
3. From tenant also, he is able to update the firewall with false. ( reference bug: 1323322)
It should throw error like "Unrecognized attribute(s) 'shared'" instead of "resource not found"
root@overcloud-controller0-eq56cfdcitoq:~# fwu f1 --shared true
The resource could not be found.
root@overcloud-controller0-eq56cfdcitoq:~# fwu f1 --shared false
Updated firewall: f1
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1337258/+subscriptions
Follow ups
References
