yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1301532] Re: Quotas can be exceeded by making highly parallel requests

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: "Markus Zoeller \(markus_z\)" <mzoeller@xxxxxxxxxxxxxxxxxx>
Date: Tue, 05 Jul 2016 09:47:21 -0000
Reply-to: Bug 1301532 <1301532@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This is an automated cleanup. This bug report has been closed because it
is older than 18 months and there is no open code change to fix this.
After this time it is unlikely that the circumstances which lead to
the observed issue can be reproduced.

If you can reproduce the bug, please:
* reopen the bug report (set to status "New")
* AND add the detailed steps to reproduce the issue (if applicable)
* AND leave a comment "CONFIRMED FOR: <RELEASE_NAME>"
  Only still supported release names are valid (LIBERTY, MITAKA, OCATA, NEWTON).
  Valid example: CONFIRMED FOR: LIBERTY


** Changed in: nova
   Importance: Medium => Undecided

** Changed in: nova
       Status: Confirmed => Expired

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1301532

Title:
  Quotas can be exceeded by making highly parallel requests

Status in OpenStack Compute (nova):
  Expired
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  By making parallel API requests to create new keypairs I was able to
  create 162 keypairs when my quota only allows for 100.

  I suspect this is due to the code in Nova doing the check for how many
  keypairs the user currently has at the beginning of the request cycle,
  and if enough requests check in parallel they all return zero before
  any are created, allowing far too many to sneak through.

  I also suspect this behavior is true for any quota'd resource that
  doesn't go through the scheduler.

  This doesn't seem like a high-priority issue with the data currently
  available, but it may be potentially exploitable, hence I'm setting
  the security flag on the ticket just to be sure it gets triaged
  appropriately before we allow any malicious user on the internet to
  exceed their quotas.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1301532/+subscriptions