neutron

Queries for fetching quotas are not scoped

Bug #1505406 reported by Salvatore Orlando on 2015-10-12

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Low	Salvatore Orlando	neutron mitaka-2 "m2"

Bug Description

get_tenant_quotas retrieves quotas for a tenant without scoping the query with the tenant_id issuing the request [1]; even if the API extension has an explicit authorisation check (...) [2], it is advisable to scope the query so that this problem is avoided.

This is particularly relevant as with the pecan framework quota management APIs are not anymore "special" from an authZ perspective, but use the same authorization hook as any other API.

[1] http://git.openstack.org/cgit/openstack/neutron/tree/neutron/db/quota/driver.py#n50
[2] http://git.openstack.org/cgit/openstack/neutron/tree/neutron/extensions/quotasv2.py#n87

Tags:

OpenStack Infra (hudson-openstack) on 2015-10-12

Changed in neutron:
status:	New → In Progress

Revision history for this message

Armando Migliaccio (armando-migliaccio) wrote on 2015-10-12:

Is this backport material?

Ihar Hrachyshka (ihar-hrachyshka) on 2015-10-13

tags:

added: api db

Armando Migliaccio (armando-migliaccio) on 2015-10-13

Changed in neutron:
importance:	Medium → Low

Armando Migliaccio (armando-migliaccio) on 2015-12-03

Changed in neutron:
milestone:	mitaka-1 → mitaka-2

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-01-15: Fix merged to neutron (master)

Reviewed: https://review.openstack.org/233855
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=24b482ac15b5fa99edd2c3438318a41f9af06bcf
Submitter: Jenkins
Branch: master

commit 24b482ac15b5fa99edd2c3438318a41f9af06bcf
Author: Salvatore Orlando <email address hidden>
Date: Mon Oct 12 15:47:03 2015 -0700

Scope get_tenant_quotas by tenant_id

    Using model_query in the operation for retrieving tenant limits
    will spare the need for explicit authorization check in the
    quota controller. This is particularly relevant for the pecan
    framework where every Neutron API call undergoes authZ checks
    in the same pecan hook.

This patch will automatically adapt by eventuals changes
introducing "un-scoped" contexts.

Closes-bug: #1505406

Change-Id: I6952f5c85cd7fb0263789f768d23de3fe80b8183

Changed in neutron:
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.