neutron

port-list should not list the dhcp ports for normal user

Bug #1267310 reported by yong sheng gong
20
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
Won't Fix
Medium
Ann Taraday

Bug Description

with non-admin user, I can list the dhcp port, and If I tried to update the fixed ips of these dhcp ports, it does not reflect to dhcpagent at all, I mean the nic device's ip in the dhcp namesapce.

So I think we should not allow normal user to view the dhcp port at the first place.
[root@controller ~]# neutron port-list
+--------------------------------------+------+-------------------+--------------------------------------------------------------------------------------+
| id | name | mac_address | fixed_ips |
+--------------------------------------+------+-------------------+--------------------------------------------------------------------------------------+
| 1a5a2236-9b66-4b6d-953d-664fad6be3bb | | fa:16:3e:cf:52:b3 | {"subnet_id": "e38cf289-3b4b-4684-90e0-d44d2ee1cb90", "ip_address": "10.0.1.3"} |
| 381e244e-4012-4a49-83d3-f252fa4e41a1 | | fa:16:3e:cf:94:bd | {"subnet_id": "e38cf289-3b4b-4684-90e0-d44d2ee1cb90", "ip_address": "10.0.1.7"} |
| 3bba05d3-10ec-49f1-9335-1103f791584b | | fa:16:3e:fe:aa:6f | {"subnet_id": "e38cf289-3b4b-4684-90e0-d44d2ee1cb90", "ip_address": "10.0.1.6"} |
| 939d5696-0780-40c6-a626-a9a9df933553 | | fa:16:3e:c7:5b:73 | {"subnet_id": "e38cf289-3b4b-4684-90e0-d44d2ee1cb90", "ip_address": "10.0.1.4"} |
| ad89d303-9e8c-43bb-a029-b341340a92bb | | fa:16:3e:21:6d:98 | {"subnet_id": "c8e59b09-60d3-4996-8692-02334ee0e658", "ip_address": "192.168.230.3"} |
| cb350109-39d3-444c-bc33-538c22415171 | | fa:16:3e:f4:d3:e8 | {"subnet_id": "e38cf289-3b4b-4684-90e0-d44d2ee1cb90", "ip_address": "10.0.1.5"} |
| d1e79c7c-d500-475f-8e21-2c1958f0a136 | | fa:16:3e:2d:c7:a1 | {"subnet_id": "e38cf289-3b4b-4684-90e0-d44d2ee1cb90", "ip_address": "10.0.1.1"} |
| ddc076f6-16aa-4f12-9745-2ac27dd5a38a | | fa:16:3e:e0:04:44 | {"subnet_id": "e38cf289-3b4b-4684-90e0-d44d2ee1cb90", "ip_address": "10.0.1.8"} |
| f2a4df5c-e719-46cc-9bdb-bf9771a2c205 | | fa:16:3e:01:73:5e | {"subnet_id": "e38cf289-3b4b-4684-90e0-d44d2ee1cb90", "ip_address": "10.0.1.2"} |
+--------------------------------------+------+-------------------+--------------------------------------------------------------------------------------+
[root@controller ~]# neutron port-show 1a5a2236-9b66-4b6d-953d-664fad6be3bb
+-----------------------+---------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+---------------------------------------------------------------------------------+
| admin_state_up | True |
| allowed_address_pairs | |
| device_id | dhcpd3377d3c-a0d1-5d71-9947-f17125c357bb-20f45603-b76a-4a89-9674-0127e39fc895 |
| device_owner | network:dhcp |
| extra_dhcp_opts | |
| fixed_ips | {"subnet_id": "e38cf289-3b4b-4684-90e0-d44d2ee1cb90", "ip_address": "10.0.1.3"} |
| id | 1a5a2236-9b66-4b6d-953d-664fad6be3bb |
| mac_address | fa:16:3e:cf:52:b3 |
| name | |
| network_id | 20f45603-b76a-4a89-9674-0127e39fc895 |
| security_groups | |
| status | ACTIVE |
| tenant_id | c8a625a4c71b401681e25e3ad294b255 |
+-----------------------+---------------------------------------------------------------------------------+

Swapnil Kulkarni (coolsvap-deactivatedaccount)
Changed in neutron:
status: New → Confirmed
Revision history for this message
Carl Baldwin (carl-baldwin) wrote :

A better solution might be to not allow updating the IP of a DHCP port. I don't mind showing dhcp ports in the port-show command. Not showing them would probably cause more confusion in my opinion.

Revision history for this message
shihanzhang (shihanzhang) wrote :

I think the dpcp port shouldn't be updated and deleted!

Revision history for this message
Tiantian Gao (gtt116) wrote :

The bug is similar to https://bugs.launchpad.net/neutron/+bug/1314614, which reported user can delete an 'in use' port but leave an orphan interface in vm.

I think the solution is locking the port, if the port is in used, no matter it is used by instance or dhcp or whatever.

Eugene Nikanorov (enikanorov)
Changed in neutron:
assignee: yong sheng gong (gongysh) → Eugene Nikanorov (enikanorov)
Revision history for this message
YAMAMOTO Takashi (yamamoto) wrote :

related bug
https://bugs.launchpad.net/neutron/+bug/1327000

Eugene Nikanorov (enikanorov)
tags: added: api
Revision history for this message
Jack McCann (jack-mccann) wrote :

I think the user should be allowed to see the port; we should either fix the update handling, or prevent updates.

Does the problem also exist for router ports? If so, similar change should be applied there.

Eugene Nikanorov (enikanorov)
Changed in neutron:
importance: High → Medium
Ann Taraday (akamyshnikova)
Changed in neutron:
assignee: Eugene Nikanorov (enikanorov) → Ann Kamyshnikova (akamyshnikova)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/122124

Changed in neutron:
status: Confirmed → In Progress
Revision history for this message
Salvatore Orlando (salvatore-orlando) wrote :

The DHCP port belongs to the tenant, which is therefore entitles to see it.

Deployers wishing to prevent that MIGHT configure policies to remove network ports from responses.
This is possible in theory, even if I would strongly advise against as this kind of settings end up making openstack applications not portable across deployments.

Changed in neutron:
status: In Progress → Won't Fix
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (master)

Change abandoned by Ann Kamyshnikova (<email address hidden>) on branch: master
Review: https://review.openstack.org/122124
Reason: According Salvatore's comments to bug

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.