I can't add interface to router, if there is another port in non-shared network of other tenant
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
High
|
Akihiro Motoki | ||
Folsom |
Fix Released
|
High
|
Gary Kotton | ||
quantum (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Precise |
Won't Fix
|
Undecided
|
Unassigned | ||
Quantal |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Hello, I have a problem. I'm unable to add interface to router, if previously another interface was added, from network in other subnet. There is some confusing error message:
yar@os-
Subnet afb62abc-
It's confusing, because I've trying to add interface with subnet 3e159530-
Stacktrace:
2012-09-27 14:17:48 ERROR [quantum.
Traceback (most recent call last):
File "/opt/stack/
result = method(
File "/opt/stack/
return getattr(
File "/opt/stack/
subnet[
File "/opt/stack/
cidr = self._get_
File "/opt/stack/
raise q_exc.SubnetNot
SubnetNotFound: Subnet afb62abc-
So, obviously, the problem was caused by subnet overlapping check, which iterates from all interface ports in this router, and get subnets from it. the main problem is that it try to do this with user's context, and subnets from other tenants was not found.
BTW, this bug leads to information disclosure about other tenant's network ids.
Related branches
- Openstack Ubuntu Testers: Pending requested
-
Diff: 79 lines (+68/-0)1 file modifieddebian/changelog (+68/-0)
Changed in quantum: | |
status: | Incomplete → Confirmed |
Changed in quantum: | |
assignee: | dan wendlandt (danwent) → Akihiro Motoki (amotoki) |
tags: | removed: folsom-backport-potential |
Changed in quantum (Ubuntu): | |
status: | New → Fix Released |
Changed in quantum (Ubuntu Precise): | |
status: | New → Confirmed |
Changed in quantum: | |
milestone: | none → grizzly-1 |
status: | Fix Committed → Fix Released |
Changed in quantum (Ubuntu Quantal): | |
status: | New → Confirmed |
tags: | removed: in-stable-folsom |
Changed in quantum: | |
milestone: | grizzly-1 → 2013.1 |
Changed in quantum (Ubuntu Precise): | |
status: | Confirmed → Won't Fix |
thanks for the report. so is it that the router is owned by demo, but earlier an admin user added a subnet from a different tenant to the network, which cause a later attempt by demo to add an additional interface to fail?
The fix here should be fairly straight forward, that the duplicate check should get a get on subnets with an elevated context.
I agree that the error message is confusion.
Exposing the UUID of a different subnet alone does not strike me as a significant security concern, as I can think of any way that the UUID exposes any useful information, since calls to access that UUID would be prevented by policy. Does anyone see any other issues?
Please update with confirmed steps to repro, at which point I think the fix should be pretty straightforward.