neutron

some plugins don't check tenant ownership

Bug #942713 reported by dan wendlandt on 2012-02-28

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Critical	dan wendlandt	neutron 2012.1 "essex"
	quantum (Ubuntu)	Fix Released	Undecided	Unassigned
Nominated for Precise by Yolanda Robla

Bug Description

Several plugins, particularly those using the Mysql code to store networks and ports, do not properly check that a network or port is owned by a particular tenant when processing calls to get/update/delete ports + networks.

It was thought that this was not a big deal b/c the quantum API was not yet exposed to tenants anyway (only to Nova's QuantumManager) but it turns out that this confuses the "validate_networks" method in QuantumManager, which is used to validate the set of networks passed in using the os-create-server-ext extension.

dan wendlandt (danwent) on 2012-02-28

Changed in nova:
status:	New → In Progress
affects:	nova → quantum
Changed in quantum:
importance:	Undecided → Critical
assignee:	nobody → dan wendlandt (danwent)
milestone:	none → essex-4

Revision history for this message

dan wendlandt (danwent) wrote on 2012-02-28:

The related bug in nova is #942527. Oddly, I was working on this patch already, but the Nova bug demonstrates that the bug is higher priority than we previously thought.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-02-28: Fix proposed to quantum (master)

Fix proposed to branch: master
Review: https://review.openstack.org/4647

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-02-29: Fix merged to quantum (master)

Reviewed: https://review.openstack.org/4647
Committed: http://github.com/openstack/quantum/commit/c029777dd7523c5216fee5d48dd9f9ca4bf3b84d
Submitter: Jenkins
Branch: master

commit c029777dd7523c5216fee5d48dd9f9ca4bf3b84d
Author: Dan Wendlandt <email address hidden>
Date: Tue Feb 28 12:34:49 2012 -0800

Fix some plugins that don't check that nets + ports are owned by tenant

    bug 942713. This bug confuses the validate_networks() method of
    QuantumManager in Nova, causing it to believe that it is valid for a
    tenant to plug into a particular network when in fact that network is not
    owned by the tenant, nor the "provider".

The patch also adds unit tests to confirm correct plugin behavior.

    This patch fixes the issue for the Sample Plugin, the OVS plugin,
    the Linux Bridge plugin, and the Ryu plugin, all of which has the
    same DB model. Validated the fix with the unit tests.

    I couldn't run the unit tests for the NVP plugin standalone, but by
    inspection, the code seems to handle this case. I wasn't able to run
    the Cisco plugin unit tests, and that code uses its own DB model, so I
    am uncertain whether this issue exists in that plugin.

Change-Id: I8c4a5f3eb151b91a1076821dc1916842510dfb90

Changed in quantum:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2012-02-29

Changed in quantum:
status:	Fix Committed → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-03-01: Fix proposed to quantum (milestone-proposed)

Fix proposed to branch: milestone-proposed
Review: https://review.openstack.org/4736

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-03-01: Fix merged to quantum (milestone-proposed)

Reviewed: https://review.openstack.org/4736
Committed: http://github.com/openstack/quantum/commit/694657af6ef6cfd93ec44299ebc42cd60007da28
Submitter: Jenkins
Branch: milestone-proposed

commit 694657af6ef6cfd93ec44299ebc42cd60007da28
Author: Sumit Naiksatam <email address hidden>
Date: Tue Feb 28 22:30:17 2012 -0800

Introducing the tenant owenrship checks in the Cisco plugin, changes are
almost identical to those in Bug#942713

Change-Id: Ia320116e73db72090d925796bb2c832f31f878de

Thierry Carrez (ttx) on 2012-04-05

Changed in quantum:
milestone:	essex-4 → 2012.1

Yolanda Robla (yolanda.robla) on 2012-12-12

Changed in quantum (Ubuntu):
status:	New → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.