Murano

Bug #1440094
Comment #4

Comment 4 for bug 1440094

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-15: Fix merged to murano (master)

Reviewed: https://review.openstack.org/172015
Committed: https://git.openstack.org/cgit/stackforge/murano/commit/?id=f18661b586d486f276d1db980590bab3d607a578
Submitter: Jenkins
Branch: master

commit f18661b586d486f276d1db980590bab3d607a578
Author: Alexander Tivelkov <email address hidden>
Date: Thu Apr 9 14:08:05 2015 +0300

Fix for cross-tenant package and class isolation

    The database constraints which were present were enforcing the global
    uniqueness of package FQNs and the names of classes defined in them.
    This behavior was not correct, as the uniqueness should be enforced per
    tenant, so the same package may be uploaded into two isolated tenants
    without affecting each other.

    This behavior lead to a very serious security issue: any tenant could
    upload a package, leave it private and thus block all other tenants of
    the cloud from uploading the package with the same name or even other
    packages which contain at least one class in common with it. This could
    be used to intentionally block all the operations of Murano on any
    public environments.

    This fix modifies the package name constraint to be unique only in
    combination with owner_id, i.e. makes packages unique per tenant. Also
    it removes the class name uniquness check from database (as there is no
    cross-DB way to check it in a proper way) and adds a check method in
    db.api module instead.

    As the packages may be made public, this introduces a potential
    collision: if the user owns some package, and there is a public package
    with the same fully-qualified-name (or defining same class(es)) then the
    class loader of the engine will have to choise between these packages
    and/or classes defined in them.
    To resolve this collision this commit adds a logic to fetch all the
    patching packages and then pick the best match. Packages owned by the
    current tenant are the most preferred, then the engine will pick public
    packages, and non-owned non-public packages are the least preferred
    (there may be no such packages now, they may appear when we add other
    ways of package sharing).

Closes-bug: #1440094
Change-Id: I5c9b49642dfb6e955cf0c98b42f418da3b82060a

Reviewed:  https://review.openstack.org/172015
Committed: https://git.openstack.org/cgit/stackforge/murano/commit/?id=f18661b586d486f276d1db980590bab3d607a578
Submitter: Jenkins
Branch:    master

commit f18661b586d486f276d1db980590bab3d607a578
Author: Alexander Tivelkov <ativelkov@mirantis.com>
Date:   Thu Apr 9 14:08:05 2015 +0300

Fix for cross-tenant package and class isolation
    
    The database constraints which were present were enforcing the global
    uniqueness of package FQNs and the names of classes defined in them.
    This behavior was not correct, as the uniqueness should be enforced per
    tenant, so the same package may be uploaded into two isolated tenants
    without affecting each other.
    
    This behavior lead to a very serious security issue: any tenant could
    upload a package, leave it private and thus block all other tenants of
    the cloud from uploading the package with the same name or even other
    packages which contain at least one class in common with it. This could
    be used to intentionally block all the operations of Murano on any
    public environments.
    
    This fix modifies the package name constraint to be unique only in
    combination with owner_id, i.e. makes packages unique per tenant. Also
    it removes the class name uniquness check from database (as there is no
    cross-DB way to check it in a proper way) and adds a check method in
    db.api module instead.
    
    As the packages may be made public, this introduces a potential
    collision: if the user owns some package, and there is a public package
    with the same fully-qualified-name (or defining same class(es)) then the
    class loader of the engine will have to choise between these packages
    and/or classes defined in them.
    To resolve this collision this commit adds a logic to fetch all the
    patching packages and then pick the best match. Packages owned by the
    current tenant are the most preferred, then the engine will pick public
    packages, and non-owned non-public packages are the least preferred
    (there may be no such packages now, they may appear when we add other
    ways of package sharing).
    
    Closes-bug: #1440094
    Change-Id: I5c9b49642dfb6e955cf0c98b42f418da3b82060a