Juniper Openstack

User can associate FIP in his project to a port in any other project

Bug #1373849 reported by Vedamurthy Joshi on 2014-09-25

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Juniper Openstack	Status tracked in Trunk
R1.1	Fix Committed	High	Sachin Bansal	Juniper Openstack r1.20
Trunk	Fix Committed	High	Sachin Bansal

Bug Description

R1.10 Build 39

There are 3 projects admin, public(with user u1, member role), and project1(with user p1u1, member role)

public_vn is created in "public" project (shared, router:external)

In project1, user p1u1 created a port in project1

In public project, user u1 created a floating ip from public_vn. The user u1 could then associate this FIP to the port created in project1 !!

root@nodec22:~# source p1u1rc
root@nodec22:~#
root@nodec22:~# neutron port-create backend1
Created a new port:
+-----------------+-----------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------+
| Field | Value
                                                          |
+-----------------+-----------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------+
| admin_state_up | True
                                                          |
| device_id |
                                                          |
| device_owner | |
| fixed_ips | {"subnet_id": "1634b4eb-7ac3-4412-801c-df47df0107dc", "ip_address": "200.1.1.4", "port_id": "181b65ba-d4c0-4cc3-b7a0-dc83c8dc1089", "net_id": "5f671a9d-edee-4831-919b-0e8bebe7bad3"} |
| id | 181b65ba-d4c0-4cc3-b7a0-dc83c8dc1089 |
| mac_address | 02:18:1b:65:ba:d4 |
| name | 181b65ba-d4c0-4cc3-b7a0-dc83c8dc1089 |
| network_id | 5f671a9d-edee-4831-919b-0e8bebe7bad3 |
| security_groups | 2a5cbb78-17e7-4839-ac41-132450566cee |
| status | DOWN |
| tenant_id | 7ecbedd2d3d443b68fe2c75fef8ab395 | <<<<
+-----------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

====================================
root@nodec22:~# source u1rc
root@nodec22:~# neutron net-list
+--------------------------------------+-----------+-------------------------------------------------------+
| id | name | subnets |
+--------------------------------------+-----------+-------------------------------------------------------+
| ea83a010-27fe-400c-b8c3-12b4de948a6c | public_vn | b80be187-275f-4623-bcce-33bb5f67e873 10.204.219.64/29 |
+--------------------------------------+-----------+-------------------------------------------------------+
root@nodec22:~# neutron port-list

root@nodec22:~# neutron floatingip-create public_vn
Created a new floatingip:
+---------------------+--------------------------------------+
| Field | Value |
+---------------------+--------------------------------------+
| fixed_ip_address | |
| floating_ip_address | 10.204.219.67 |
| floating_network_id | ea83a010-27fe-400c-b8c3-12b4de948a6c |
| id | 3bd76081-ec1f-45a7-81e2-b400139a76cc |
| port_id | |
| router_id | |
| tenant_id | 3dcf71b6e5b145eabff43a8cb715e0e5 | <<<<<<<
+---------------------+--------------------------------------+
root@nodec22:~# neutron floatingip-associate 3bd76081-ec1f-45a7-81e2-b400139a76cc 181b65ba-d4c0-4cc3-b7a0-dc83c8dc1089
Associated floatingip 3bd76081-ec1f-45a7-81e2-b400139a76cc
root@nodec22:~#

root@nodec22:~# cat p1u1rc
export OS_USERNAME=p1u1
export OS_PASSWORD=p1u1
export OS_TENANT_NAME=project1
export OS_AUTH_URL=http://10.204.217.70:5000/v2.0/
export OS_NO_CACHE=1
root@nodec22:~#
root@nodec22:~#
root@nodec22:~# cat u1rc
export OS_USERNAME=u1
export OS_PASSWORD=u1
export OS_TENANT_NAME=public
export OS_AUTH_URL=http://10.204.217.70:5000/v2.0/
export OS_NO_CACHE=1
root@nodec22:~#

Tags:

Vedamurthy Joshi (vedujoshi) on 2014-09-25

tags:

added: config

Revision history for this message

Vedamurthy Joshi (vedujoshi) wrote on 2014-09-25:

Once anybody associates like above, FIP list in horizon keeps failing since it cant find the port in the current project

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2014-09-27: A change has been merged

Reviewed: https://review.opencontrail.org/3221
Committed: http://github.org/Juniper/contrail-controller/commit/e07d4951c9d47389e6ec10e909d892fdc68246ff
Submitter: Zuul
Branch: R1.10

commit e07d4951c9d47389e6ec10e909d892fdc68246ff
Author: Sachin Bansal <email address hidden>
Date: Fri Sep 26 14:27:06 2014 -0700

check for port's tenant id when associating a floating ip to a port

Change-Id: I5365f92755b6fa6174b241d749df5b8447672455
Closes-Bug: 1373849
Signed-off-by: Sachin Bansal <email address hidden>

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2014-09-27:

Reviewed: https://review.opencontrail.org/3220
Committed: http://github.org/Juniper/contrail-controller/commit/32d78bf93175d695fa16de6d45fcbecd3eecec15
Submitter: Zuul
Branch: master

commit 32d78bf93175d695fa16de6d45fcbecd3eecec15
Author: Sachin Bansal <email address hidden>
Date: Fri Sep 26 14:27:06 2014 -0700

check for port's tenant id when associating a floating ip to a port

Change-Id: I5365f92755b6fa6174b241d749df5b8447672455
Closes-Bug: 1373849

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.