OpenStack Dashboard (Horizon)

Security groups leak across tenants for admin users

Bug #1046054 reported by Gabriel Hurley
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Medium
Eoghan Glynn
OpenStack Compute (nova) 2012.2 "folsom"
OpenStack Dashboard (Horizon)
Won't Fix
High
Gabriel Hurley

Bug Description

As a follow-on to https://bugs.launchpad.net/horizon/+bug/967882 (which fixed this problem for everything else), the same issue still exists for security groups.

An admin user who requests security groups using a token scoped to a particular tenant still sees all the security groups in the system. Requests for all security groups vs. only those for the current scope should be differentiated as they were for everything else.

Attempting to launch an instance with a security group from another project results in an API error (but thankfully doesn't crash nova like the volume attachment bug did).

Gabriel Hurley (gabriel-hurley)
Changed in horizon:
milestone: none → folsom-rc1
milestone: folsom-rc1 → none
Revision history for this message
Thierry Carrez (ttx) wrote :

Would be good to fix that before release.

Changed in nova:
importance: Undecided → Medium
milestone: none → folsom-rc1
status: New → Confirmed
Revision history for this message
Gabriel Hurley (gabriel-hurley) wrote :

If Nova will get this fixed, Horizon doesn't actually need to do anything, so I'm gonna close this for Horizon.

Changed in horizon:
assignee: nobody → Gabriel Hurley (gabriel-hurley)
status: Confirmed → Won't Fix
Vish Ishaya (vishvananda)
Changed in nova:
assignee: nobody → Vish Ishaya (vishvananda)
status: Confirmed → Triaged
Eoghan Glynn (eglynn)
Changed in nova:
assignee: Vish Ishaya (vishvananda) → Eoghan Glynn (eglynn)
Eoghan Glynn (eglynn)
Changed in nova:
status: Triaged → Confirmed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/13022

Changed in nova:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/13022
Committed: http://github.com/openstack/nova/commit/29af2252a8bc97157a52fddca78b31224eb55dac
Submitter: Jenkins
Branch: master

commit 29af2252a8bc97157a52fddca78b31224eb55dac
Author: Eoghan Glynn <email address hidden>
Date: Fri Sep 14 11:15:29 2012 +0000

    All security groups not returned to admins by default.

    Fixes bug 1046054.

    Previously security groups relating to all tenants were returned
    when requested by an admin user.

    Now only those groups related to the current tenant are returned
    by default.

    To recover the old behaviour, the all_tenants search option may
    be specified via the native API with:

      /v2/<project_id>/os-security-groups?all_tenants=1

    or via the EC2 API with:

      Action=DescribeSecurityGroups&Filter.1.Name=all-tenants&Filter.1.Value.1=1

    Note that the latter is slightly ultra vires with respect to the
    EC2 API spec, in the sense that this filter is in addition to the
    standard set. Since we don't pay attention to many of these standard
    filters as yet, this stepping slightly off-piste is deemed worth it.

    Change-Id: I6157e408394d04096d21747d665e3b3aa6aa55de

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in nova:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: folsom-rc1 → 2012.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.