yahoo-eng-team team mailing list archive

[Salvatore Orlando <1505406@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

get_tenant_quotas retrieves quotas for a tenant without scoping the
query with the tenant_id issuing the request [1]; even if the API
extension has an explicit authorisation check (...) [2], it is advisable
to scope the query so that this problem is avoided.

This is particularly relevant as with the pecan framework quota
management APIs are not anymore "special" from an authZ perspective, but
use the same authorization  hook as any other API.


[1] http://git.openstack.org/cgit/openstack/neutron/tree/neutron/db/quota/driver.py#n50
[2] http://git.openstack.org/cgit/openstack/neutron/tree/neutron/extensions/quotasv2.py#n87

** Affects: neutron
     Importance: Medium
     Assignee: Salvatore Orlando (salvatore-orlando)
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1505406

Title:
  Queries for fetching quotas are not scoped

Status in neutron:
  New

Bug description:
  get_tenant_quotas retrieves quotas for a tenant without scoping the
  query with the tenant_id issuing the request [1]; even if the API
  extension has an explicit authorisation check (...) [2], it is
  advisable to scope the query so that this problem is avoided.

  This is particularly relevant as with the pecan framework quota
  management APIs are not anymore "special" from an authZ perspective,
  but use the same authorization  hook as any other API.

  
  [1] http://git.openstack.org/cgit/openstack/neutron/tree/neutron/db/quota/driver.py#n50
  [2] http://git.openstack.org/cgit/openstack/neutron/tree/neutron/extensions/quotasv2.py#n87

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1505406/+subscriptions