Non-admin owned networks can be updated to shared

Bug #1268823 reported by Stephen Ma on 2014-01-14
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Medium
Stephen Ma

Bug Description

As a non-admin user, I am unable to create a shared network:

stack@sma-vm-dvstk:~/DEVSTACK/devstack$

stack@sma-vm-dvstk:~/DEVSTACK/devstack$ neutron net-create mysharednet --shared
{"NeutronError": {"message": "Policy doesn't allow create_network to be performed.", "type": "PolicyNotAuthorized", "detail": ""}}

This is expected since the behavior is defined in policy.json.

However, If I am able to update a network to be shared. If a network cannot be created with shared=True, then the network shouldn't be able to be modified to be shared=True.

stack@sma-vm-dvstk:~/DEVSTACK/devstack$ neutron net-create mysharednet
Created a new network:
+----------------+--------------------------------------+
| Field | Value |
+----------------+--------------------------------------+
| admin_state_up | True |
| id | 3e2ccb52-79a5-404b-9838-3a0926b35947 |
| name | mysharednet |
| shared | False |
| status | ACTIVE |
| subnets | |
| tenant_id | c3d21dbd077144fe9d8f919488f72c2d |
+----------------+--------------------------------------+

stack@sma-vm-dvstk:~/DEVSTACK/devstack$ neutron net-update mysharednet --shared True
Updated network: mysharednet

stack@sma-vm-dvstk:~/DEVSTACK/devstack$ neutron net-show mysharednet
+-----------------+--------------------------------------+
| Field | Value |
+-----------------+--------------------------------------+
| admin_state_up | True |
| id | 3e2ccb52-79a5-404b-9838-3a0926b35947 |
| name | mysharednet |
| router:external | False |
| shared | True |
| status | ACTIVE |
| subnets | |
| tenant_id | c3d21dbd077144fe9d8f919488f72c2d |
+-----------------+--------------------------------------+

Tags: api Edit Tag help
Stephen Ma (stephen-ma) on 2014-01-14
Changed in neutron:
assignee: nobody → Stephen Ma (stephen-ma)

Fix proposed to branch: master
Review: https://review.openstack.org/69095

Changed in neutron:
status: New → In Progress
Changed in neutron:
importance: Undecided → Medium
tags: added: api
Changed in neutron:
milestone: none → icehouse-3

Reviewed: https://review.openstack.org/69095
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=e4836bd08c5cc86090116bf79566bee5082edc82
Submitter: Jenkins
Branch: master

commit e4836bd08c5cc86090116bf79566bee5082edc82
Author: Stephen Ma <email address hidden>
Date: Mon Jan 20 15:48:28 2014 +0000

    Disallow non-admin users update net's shared attribute

    Currently non-admin user cannot create a network with
    shared=True. But the user can create the network and then
    change the shared attribute to True.

    This patch will no longer allow non-admin user to update a
    network's shared value to True.

    Change-Id: Id596ee399c56b9882efab97a89dbf7d14c5cf7f4
    Closes-Bug: 1268823

Changed in neutron:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2014-03-05
Changed in neutron:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2014-04-17
Changed in neutron:
milestone: icehouse-3 → 2014.1
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers