yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #44700
[Bug 1505406] Re: Queries for fetching quotas are not scoped
Reviewed: https://review.openstack.org/233855
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=24b482ac15b5fa99edd2c3438318a41f9af06bcf
Submitter: Jenkins
Branch: master
commit 24b482ac15b5fa99edd2c3438318a41f9af06bcf
Author: Salvatore Orlando <salv.orlando@xxxxxxxxx>
Date: Mon Oct 12 15:47:03 2015 -0700
Scope get_tenant_quotas by tenant_id
Using model_query in the operation for retrieving tenant limits
will spare the need for explicit authorization check in the
quota controller. This is particularly relevant for the pecan
framework where every Neutron API call undergoes authZ checks
in the same pecan hook.
This patch will automatically adapt by eventuals changes
introducing "un-scoped" contexts.
Closes-bug: #1505406
Change-Id: I6952f5c85cd7fb0263789f768d23de3fe80b8183
** Changed in: neutron
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1505406
Title:
Queries for fetching quotas are not scoped
Status in neutron:
Fix Released
Bug description:
get_tenant_quotas retrieves quotas for a tenant without scoping the
query with the tenant_id issuing the request [1]; even if the API
extension has an explicit authorisation check (...) [2], it is
advisable to scope the query so that this problem is avoided.
This is particularly relevant as with the pecan framework quota
management APIs are not anymore "special" from an authZ perspective,
but use the same authorization hook as any other API.
[1] http://git.openstack.org/cgit/openstack/neutron/tree/neutron/db/quota/driver.py#n50
[2] http://git.openstack.org/cgit/openstack/neutron/tree/neutron/extensions/quotasv2.py#n87
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1505406/+subscriptions
References
