yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1338885] Re: fwaas: admin should not be able to create firewall rule for non existing tenant

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Eugene Nikanorov <enikanorov@xxxxxxxxxxxx>
Date: Wed, 05 Nov 2014 10:47:55 -0000
Reply-to: Bug 1338885 <1338885@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I doubt this fits neutron, at least for now.
Neutron is not tenant-aware in the sense that it doesn't verify tenants against keystone.
And I don't think that's what we could do to fix this issue.

** Changed in: neutron
       Status: Confirmed => Opinion

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1338885

Title:
  fwaas: admin should not be able to create firewall rule for non
  existing tenant

Status in OpenStack Neutron (virtual network service):
  Opinion

Bug description:
   Admin should not be able to create resources for non existing tenant.
        

  Steps to Reproduce:

  Actual Results: 
   
  root@IGA-OSC:~# neutron firewall-rule-create --protocol tcp --action deny --tenant-id bf4fbb928d574829855ebfd9e5d0e -->(non existing tenant-id. changed the last few characters)
  Created a new firewall_rule:
  +------------------------+--------------------------------------+
  | Field                  | Value                                |
  +------------------------+--------------------------------------+
  | action                 | deny                                 |
  | description            |                                      |
  | destination_ip_address |                                      |
  | destination_port       |                                      |
  | enabled                | True                                 |
  | firewall_policy_id     |                                      |
  | id                     | 7264e5a6-5752-4518-b26b-7c7395173747 |
  | ip_version             | 4                                    |
  | name                   |                                      |
  | position               |                                      |
  | protocol               | tcp                                  |
  | shared                 | False                                |
  | source_ip_address      |                                      |
  | source_port            |                                      |
  | tenant_id              | bf4fbb928d574829855ebfd9e5d0e        |
  +------------------------+--------------------------------------+
  root@IGA-OSC:~# ktl
  +----------------------------------+---------+---------+
  |                id                |   name  | enabled |
  +----------------------------------+---------+---------+
  | 0ad385e00e97476e9456945c079a21ea |  admin  |   True  |
  | 43af7b7c0dbc40bd90d03cc08df201ce | service |   True  |
  | d9481c57a11c46eea62886938b5378a7 | tenant1 |   True  |
  | bf4fbb928d574829855ebfd9e5d0e58c | tenant2 |   True  |
  +----------------------------------+---------+---------+
   
  ==============================================

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1338885/+subscriptions

References

[Bug 1338885] [NEW] fwaas: admin should not be able to create firewall rule for non existing tenant
From: Rajkumar, 2014-07-08