api server doesn't use token to filter out resource list for a user
Bug #1350992 reported by
Rahul
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Juniper Openstack |
Fix Committed
|
Medium
|
Hampapur Ajay | ||
Bug Description
UI and other clients send scoped tenant tokens to API server for any CRUD requests.
But API server doesn't look at the token to filter out the resources that a user can access.
In UI / Horizon we filter out network etc show for a user based on the projects that they have access to.
But the List operations from API server dump all networks, policies etc regardless of the token / projects that token has access to.
Even with non-admin tokens anyone can inoke CRUD on admin resources i.e. bgp-routers, vrouters, forwarding options, global system config etc.
| Changed in juniperopenstack: | |
| milestone: | none → r1.10-fcs |
Revision history for this message
| Raj Reddy (rajreddy) wrote | #1 |
| Changed in juniperopenstack: | |
| assignee: | nobody → Hampapur Ajay (hajay) |
| importance: | High → Medium |
| information type: | Proprietary → Public |
| Changed in juniperopenstack: | |
| status: | New → Confirmed |
| Changed in juniperopenstack: | |
| milestone: | r1.10-fcs → none |
Revision history for this message
| Sachin Bansal (sbansal) wrote | #3 |
| Changed in juniperopenstack: | |
| status: | Confirmed → Fix Committed |
To post a comment you must log in.
probably not just a bug fix -- needs discussion w/ Harsh on impl..