Abandon/adopt don't consider project
Bug #1301314 reported by
Steven Hardy
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Heat |
Triaged
|
Medium
|
Vijendar Komalla | ||
Bug Description
We don't include the project ID in the abandon data, but all resources being abandoned exist in a specific tenant/project, so while heat will allow you to adopt resources from another project, and the stack ends up ADOPT_COMPLETE, everything will break if you then try to do anything with the stack.
This is one aspect of the complete lack of data validation on adopt which we need to fix.
I've not found a specific exploit, but clearly this behaviour is undesirable and could be open to abuse. IMO we should restrict abandon/adopt to include the project_id and validate the scope of the request on adopt matches the project_id in the abandon data.
Revision history for this message
| Steven Hardy (shardy) wrote | #1 |
| Changed in heat: | |
| status: | New → Triaged |
| importance: | Undecided → Medium |
| milestone: | none → juno-1 |
| tags: | added: icehouse-rc-potential |
| tags: | removed: icehouse-rc-potential |
| Changed in heat: | |
| assignee: | nobody → Vijendar Komalla (vijendar-komalla) |
| Changed in heat: | |
| milestone: | juno-1 → juno-2 |
Revision history for this message
| Steven Hardy (shardy) wrote | #2 |
| Changed in heat: | |
| milestone: | juno-2 → juno-3 |
Revision history for this message
| Vijendar Komalla (vijendar-komalla) wrote | #3 |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix proposed to heat (master) | #4 |
| Changed in heat: | |
| status: | Triaged → In Progress |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote | #5 |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix merged to heat (master) | #6 |
| Changed in heat: | |
| milestone: | juno-3 → juno-rc1 |
Revision history for this message
| Zane Bitter (zaneb) wrote | #7 |
| Changed in heat: | |
| milestone: | juno-rc1 → kilo-1 |
| tags: | added: abandon-adopt |
| Changed in heat: | |
| milestone: | kilo-1 → kilo-2 |
| status: | In Progress → Triaged |
| Changed in heat: | |
| milestone: | kilo-2 → next |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Change abandoned on heat (master) | #8 |
To post a comment you must log in.
An additional side-effect of this is if you adopt a stack with resources from another project, you can't delete it - you have to do stack-abandon to remove it from the DB.
That actually turns out to be a nicer way for folks to recover from the occasional DELETE_FAILED states which have occurred in the past due to bugs (e.g instead of having to fixup in the DB or drop everything)