yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #36971
[Bug 1485993] [NEW] Tenants could potentially modify rules from not owned policies
Public bug reported:
In configurations where the policy creation is left open to the tenants
by policy.json modification, this is possible:
a) Admin creates policy A, attaches Rule X
b) tenant creates policy B, modifies rule X via API.
AS ADMIN:
[vagrant@devstack ~]$ source ~/devstack/accrc/admin/admin
[vagrant@devstack ~]$ neutron qos-policy-create A --description "policy A"
Created a new policy:
+-------------+--------------------------------------+
| Field | Value |
+-------------+--------------------------------------+
| description | policy A |
| id | 98134993-746f-409b-89b2-f3487187f730 |
| name | A |
| rules | |
| shared | False |
| tenant_id | 1556829297534c378cad15feb8196012 |
+-------------+--------------------------------------+
[vagrant@devstack ~]$ neutron qos-bandwidth-limit-rule-create A --max_kbps 100
Created a new bandwidth_limit_rule:
+----------------+--------------------------------------+
| Field | Value |
+----------------+--------------------------------------+
| id | 4a548459-c10f-4bf1-88fe-d20e277f2b50 |
| max_burst_kbps | 0 |
| max_kbps | 100 |
+----------------+--------------------------------------+
AS REGULAR TENANT:
[vagrant@devstack ~]$ source ~/devstack/accrc/demo/demo
[vagrant@devstack ~]$ neutron qos-policy-create B --description "policy B"
Created a new policy:
+-------------+--------------------------------------+
| Field | Value |
+-------------+--------------------------------------+
| description | policy B |
| id | 2ec2b6e2-8427-4ffd-8ab1-f4a5d577e49b |
| name | B |
| rules | |
| shared | False |
| tenant_id | c931dc21a7a241fa80eaba0ba0a738c6 |
+-------------+--------------------------------------+
[vagrant@devstack ~]$ neutron qos-bandwidth-limit-rule-update 4a548459-c10f-4bf1-88fe-d20e277f2b50 B --max_kbps 222
Updated bandwidth_limit_rule: 4a548459-c10f-4bf1-88fe-d20e277f2b50
[vagrant@devstack ~]$ neutron qos-bandwidth-limit-rule-show 4a548459-c10f-4bf1-88fe-d20e277f2b50 B
+----------------+--------------------------------------+
| Field | Value |
+----------------+--------------------------------------+
| id | 4a548459-c10f-4bf1-88fe-d20e277f2b50 |
| max_burst_kbps | 0 |
| max_kbps | 222 |
+----------------+--------------------------------------+
** Affects: neutron
Importance: Undecided
Status: New
** Tags: qos
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1485993
Title:
Tenants could potentially modify rules from not owned policies
Status in neutron:
New
Bug description:
In configurations where the policy creation is left open to the
tenants by policy.json modification, this is possible:
a) Admin creates policy A, attaches Rule X
b) tenant creates policy B, modifies rule X via API.
AS ADMIN:
[vagrant@devstack ~]$ source ~/devstack/accrc/admin/admin
[vagrant@devstack ~]$ neutron qos-policy-create A --description "policy A"
Created a new policy:
+-------------+--------------------------------------+
| Field | Value |
+-------------+--------------------------------------+
| description | policy A |
| id | 98134993-746f-409b-89b2-f3487187f730 |
| name | A |
| rules | |
| shared | False |
| tenant_id | 1556829297534c378cad15feb8196012 |
+-------------+--------------------------------------+
[vagrant@devstack ~]$ neutron qos-bandwidth-limit-rule-create A --max_kbps 100
Created a new bandwidth_limit_rule:
+----------------+--------------------------------------+
| Field | Value |
+----------------+--------------------------------------+
| id | 4a548459-c10f-4bf1-88fe-d20e277f2b50 |
| max_burst_kbps | 0 |
| max_kbps | 100 |
+----------------+--------------------------------------+
AS REGULAR TENANT:
[vagrant@devstack ~]$ source ~/devstack/accrc/demo/demo
[vagrant@devstack ~]$ neutron qos-policy-create B --description "policy B"
Created a new policy:
+-------------+--------------------------------------+
| Field | Value |
+-------------+--------------------------------------+
| description | policy B |
| id | 2ec2b6e2-8427-4ffd-8ab1-f4a5d577e49b |
| name | B |
| rules | |
| shared | False |
| tenant_id | c931dc21a7a241fa80eaba0ba0a738c6 |
+-------------+--------------------------------------+
[vagrant@devstack ~]$ neutron qos-bandwidth-limit-rule-update 4a548459-c10f-4bf1-88fe-d20e277f2b50 B --max_kbps 222
Updated bandwidth_limit_rule: 4a548459-c10f-4bf1-88fe-d20e277f2b50
[vagrant@devstack ~]$ neutron qos-bandwidth-limit-rule-show 4a548459-c10f-4bf1-88fe-d20e277f2b50 B
+----------------+--------------------------------------+
| Field | Value |
+----------------+--------------------------------------+
| id | 4a548459-c10f-4bf1-88fe-d20e277f2b50 |
| max_burst_kbps | 0 |
| max_kbps | 222 |
+----------------+--------------------------------------+
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1485993/+subscriptions
Follow ups
