Unauthorized user can release floating_ips
Bug #855115 reported by
Ray Hookway
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
High
|
Ray Hookway |
Bug Description
EC2 commands which manipulate floating_ips do not check that the user is associated with the project to which the address belongs. For example, ReleaseAddress can be used by a user who is a netadmin in one project to release an address which has been allocated to a second project of which the user is not a member. (See EC2 comment in floating_
Related branches
lp://staging/~cbehrens/nova/milestone-proposed.lp855115
- Thierry Carrez: Approve
-
Diff: 174 lines (+68/-12)5 files modifiednova/api/ec2/__init__.py (+4/-0)
nova/api/openstack/contrib/floating_ips.py (+6/-1)
nova/db/sqlalchemy/api.py (+11/-10)
nova/tests/api/openstack/contrib/test_floating_ips.py (+1/-1)
nova/tests/test_network.py (+46/-0)
lp://staging/~cbehrens/nova/lp855115
- Vish Ishaya (community): Approve
- Paul Voccio (community): Approve
- Kevin L. Mitchell (community): Approve
-
Diff: 175 lines (+68/-12)5 files modifiednova/api/ec2/__init__.py (+4/-0)
nova/api/openstack/contrib/floating_ips.py (+6/-1)
nova/db/sqlalchemy/api.py (+11/-10)
nova/tests/api/openstack/contrib/test_floating_ips.py (+1/-1)
nova/tests/test_network.py (+46/-0)
Changed in nova: | |
milestone: | none → 2011.3 |
importance: | Undecided → High |
status: | New → In Progress |
assignee: | nobody → Ray Hookway (rjh) |
description: | updated |
summary: |
- Unauthorized user can release fixed_ips + Unauthorized user can release floating_ips |
Changed in nova: | |
status: | In Progress → Fix Committed |
visibility: | private → public |
Changed in nova: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
The attached file is a patch that we are applying to our Diablo-2 based environment. We have tested the patch in our environment and believe it will work against the trunk, but haven't been able to test it there. We have confirmed that the patch applies cleanly to the trunk except for the tests. (The order of the tests has changed.)