yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1233335] Re: Nova calls into neutron as admin circumventing fixed-ip on shared network

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: "Markus Zoeller \(markus_z\)" <mzoeller@xxxxxxxxxx>
Date: Tue, 17 May 2016 14:05:14 -0000
Reply-to: Bug 1233335 <1233335@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This wishlist bug has been open a year without any activity. I'm going
to move it to "Opinion / Wishlist", which is an easily-obtainable queue
of older requests that have come on.

** Changed in: nova
       Status: Confirmed => Opinion

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1233335

Title:
  Nova calls into neutron as admin circumventing fixed-ip on shared
  network

Status in OpenStack Compute (nova):
  Opinion

Bug description:
  In Neutron on shared networks the default policy is to not allow
  tenants from specifying their own fixed ips. This is done so that one
  cannot deliberately try to imposter another tenant's instance after it
  has been deleted.  The reason is working is  because nova is calling
  into neutron as admin.

  $quantum port-create --fixed-ip  ip_address=10.2.0.44  shared-net
  {"NeutronError": "Policy doesn't allow create_port to be performed."}

  ^Fails

  
  $ nova boot --image cirros-0.3.1-x86_64-uec  --nic net-id=abce62c9-2d83-42ea-ada2-fd24e14af842,v4-fixed-ip=10.2.0.44 --flavor 1 vm23
  ^Succeeds

  Marking as a security vulnerability though it's probably not really a
  big deal.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1233335/+subscriptions