neutron

[API] Filtering by fields not allowed to see is possible for regular users

Bug #1884067 reported by Slawek Kaplonski on 2020-06-18

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Confirmed	High	vinay harsha mitta

Bug Description

It seems that regular user, even if can't see binding:host_id field for the port can filter based on this field:

neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+--------------------------------------+
| id |
+--------------------------------------+
| 79949e8d-98dc-4fba-8897-c85a2bf89da7 |
| 7b91b484-4a9d-4160-84f7-bf1aed35d42a |
| 92023b4e-11bd-42be-a60d-609dc237873d |
| d987e708-1439-411d-848c-15a918ec3198 |
+--------------------------------------+

[stack@undercloud-0 ~]$ neutron port-list --binding:host_id compute-1.redhat.local
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+--------------------------------------+------+-------------------+----------------------------------------------------------------------------------------+
| id | name | mac_address | fixed_ips |
+--------------------------------------+------+-------------------+----------------------------------------------------------------------------------------+
| 7b91b484-4a9d-4160-84f7-bf1aed35d42a | | fa:16:3e:38:fe:b6 | {"subnet_id": "da9e51d0-a9a5-43ee-8ae1-d79bbfd9ee71", "ip_address": "192.168.100.151"} |
+--------------------------------------+------+-------------------+----------------------------------------------------------------------------------------+
[stack@undercloud-0 ~]$ neutron port-list --binding:host_id compute-0.redhat.local
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.

Tags:

vinay harsha mitta (vinay7) on 2020-09-29

Changed in neutron:
assignee:	nobody → vinay harsha mitta (vinay7)

Revision history for this message

vinay harsha mitta (vinay7) wrote on 2020-10-01:

Hi adding my understanding here regarding this bug, please let me know if i miss something:
With reference to this[1] i could understand that a regular user's response doesn't contain binding-opt,
but a admin do[2], so a regular user should be restricted with that filtering field.

reproduced in my single host env:http://paste.openstack.org/show/798593/

[1] : https://docs.openstack.org/api-ref/network/v2/index.html?expanded=list-ports-detail#id70

[2] : https://docs.openstack.org/api-ref/network/v2/index.html?expanded=list-ports-detail#id71

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.