neutron

Bug #1243327
Comment #57

Comment 57 for bug 1243327

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-03-27: Fix merged to neutron (stable/havana)

#57

Reviewed: https://review.openstack.org/83393
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=1faec8354a0fab953524eaeb6042ad38461a58bc
Submitter: Jenkins
Branch: stable/havana

commit 1faec8354a0fab953524eaeb6042ad38461a58bc
Author: Aaron Rosen <email address hidden>
Date: Wed Mar 26 16:36:56 2014 -0700

Prevent cross plugging router ports from other tenants

    Previously, a tenant could plug an interface into another tenant's
    router if he knew their router_id by creating a port with the correct
    device_id and device_owner. This patch prevents this from occuring
    by preventing non-admin users from creating ports with device_owner
    network:router_interface with a device_id that matches another tenants router.
    In addition, it prevents one from updating a ports device_owner and device_id
    so that the device_id won't match another tenants router with device_owner
    being network:router_interface.

    NOTE: with this change it does open up the possiblity for a tenant to discover
    router_id's of another tenant's by guessing them and updating a port till
    a conflict occurs. That said, randomly guessing the router id would be hard
    and in theory should not matter if exposed. We also need to allow a tenant
    to update the device_id on network:router_interface ports as this would be
    used for by anyone using a vm as a service router. This issue will be fixed in
    another patch upstream as a db migration is required but since this needs
    to be backported to all stable branches this is not possible.

NOTE: The only plugins affect by this are the ones that use the l3-agent.

    NOTE: **One should perform and audit of the ports that are already
            attached to routers after applying this patch and remove ports
            that a tenant may have cross plugged.**

Closes-bug: #1243327

    Conflicts:
        neutron/common/exceptions.py
        neutron/db/db_base_plugin_v2.py

Change-Id: I8bc6241f537d937e5729072dcc76871bf407cdb3

Reviewed:  https://review.openstack.org/83393
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=1faec8354a0fab953524eaeb6042ad38461a58bc
Submitter: Jenkins
Branch:    stable/havana

commit 1faec8354a0fab953524eaeb6042ad38461a58bc
Author: Aaron Rosen <aaronorosen@gmail.com>
Date:   Wed Mar 26 16:36:56 2014 -0700

Prevent cross plugging router ports from other tenants
    
    Previously, a tenant could plug an interface into another tenant's
    router if he knew their router_id by creating a port with the correct
    device_id and device_owner. This patch prevents this from occuring
    by preventing non-admin users from creating ports with device_owner
    network:router_interface with a device_id that matches another tenants router.
    In addition, it prevents one from updating a ports device_owner and device_id
    so that the device_id won't match another tenants router with device_owner
    being network:router_interface.
    
    NOTE: with this change it does open up the possiblity for a tenant to discover
    router_id's of another tenant's by guessing them and updating a port till
    a conflict occurs. That said, randomly guessing the router id would be hard
    and in theory should not matter if exposed. We also need to allow a tenant
    to update the device_id on network:router_interface ports as this would be
    used for by anyone using a vm as a service router. This issue will be fixed in
    another patch upstream as a db migration is required but since this needs
    to be backported to all stable branches this is not possible.
    
    NOTE: The only plugins affect by this are the ones that use the l3-agent.
    
    NOTE: **One should perform and audit of the ports that are already
            attached to routers after applying this patch and remove ports
            that a tenant may have cross plugged.**
    
    Closes-bug: #1243327
    
    Conflicts:
        neutron/common/exceptions.py
        neutron/db/db_base_plugin_v2.py
    
    Change-Id: I8bc6241f537d937e5729072dcc76871bf407cdb3