Blazar

DB Api doesn't filter per tenant

Bug #1256117 reported by Sylvain Bauza
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Blazar
Fix Released
Critical
Sylvain Bauza
Blazar 0.1.0

Bug Description

Regression appeared with the context refactoring, as model_queries does filter as per context.project_id while the context is not having this key but tenant_id. As a result, any user can query the API and get all the results for all tenants...

Lease is also not having project_id stored.

See original description
Sylvain Bauza (sylvain-bauza)
summary: - DB Api doesn't filter per tenant !
+ DB Api doesn't filter per tenant
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to climate (master)

Fix proposed to branch: master
Review: https://review.openstack.org/59109

Changed in climate:
status: New → In Progress
Dina Belova (dbelova)
Changed in climate:
milestone: none → icehouse-2
Dina Belova (dbelova)
Changed in climate:
milestone: none → 0.1.0
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to climate (master)

Reviewed: https://review.openstack.org/59109
Committed: https://git.openstack.org/cgit/stackforge/climate/commit/?id=9fc6b17f8761b046987438df7ed7a0c1a146d639
Submitter: Jenkins
Branch: master

commit 9fc6b17f8761b046987438df7ed7a0c1a146d639
Author: sbauza <email address hidden>
Date: Fri Nov 29 00:35:48 2013 +0100

    Filter DB queries per project_id

    Currently, DB queries don't filter on project_id, so any user can
    request all DB entries.

    The proposal here is to filter if the table does support tenant_id
    in it and if the user is not admin (based on Nova/Cinder/Oslo)

    In order to automatically provide the correct is_admin flag, now
    when creating the context we check if policy defines the user as
    admin.

    Closes-Bug: #1256117

    Change-Id: I85c404f5a3365c6a9c575af52f1a116f8350f426

Changed in climate:
status: In Progress → Fix Committed
Dina Belova (dbelova)
Changed in climate:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.