yahoo-eng-team team mailing list archive

[Jeremy Stanley <fungi@xxxxxxxxxxx>]

*** This bug is a duplicate of bug 1284718 ***
    https://bugs.launchpad.net/bugs/1284718

** Information type changed from Private Security to Public

** This bug has been marked a duplicate of bug 1284718
   interface-attach to external network a) works and b) results in undeletable instances

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1342690

Title:
  nova allows to bypass neutron permission checking by allowing  user to
  plug instances to external neutron networking

Status in OpenStack Compute (Nova):
  New
Status in OpenStack Security Advisories:
  Incomplete

Bug description:
  havana/ubuntu version of openstack (1:2013.2.3-0ubuntu1~cloud0)

  If openstack is set up with nova and neutron, if user use nova to
  create instance, nova allows to create ports in external networking,
  bypassing neutron permissions for network access.

  Steps to reproduce:
  1. Create installation with nova/neutron
  2. Create external neutron network (ExtNet-UUID)
  3. Create unpriveleged (_member_) user, use it credentials.
  4. boot instance: nova boot bad_instance --flavor m1.small --image any-image --nic net-id:ExtNet-UUID

  Expected results: nova reject request because 'external networks' is not belong to tenant.
  Actual results: nova allow to create port to external network and that port is belong to user's tenant.

  That port is not operational, so the scope of the described problem is limited:
  1. incorrect records in 'neutron port-list'
  2. (more severe)  depletion of external IP addresses over user quota for floating IPs in neutron.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1342690/+subscriptions