neutron

fwaas:shrared attribute of tenant's firewall should not have the option to update

Bug #1323322 reported by Rajkumar
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
Eugene Nikanorov
neutron 2014.2 "juno"

Bug Description

DESCRIPTION:

Shared attribute is not shown when creating firewall.
I understand that, admin can only create shared firewall since it will affect other tenants also
In that case, creating shared firewall is prohibited correctly however I am able to update the firewall from tenant by shared = true
This should not be allowed

Steps to Reproduce:

root@IGA-OSC:~# fwc 7436f673-e1e8-4acf-b8a2-38e70a020105 --name f2 --shared true
Invalid values_specs true
root@IGA-OSC:~# fwc 7436f673-e1e8-4acf-b8a2-38e70a020105 --name f2 --shared false
Invalid values_specs false
root@IGA-OSC:~# fwc 7436f673-e1e8-4acf-b8a2-38e70a020105 --name f2 --shared
{"NeutronError": {"message": "Policy doesn't allow create_firewall to be performed.", "type": "PolicyNotAuthorized", "detail": ""}}
root@IGA-OSC:~# fwc 7436f673-e1e8-4acf-b8a2-38e70a020105 --name f2
Created a new firewall:
+--------------------+--------------------------------------+
| Field | Value |
+--------------------+--------------------------------------+
| admin_state_up | True |
| description | |
| firewall_policy_id | 7436f673-e1e8-4acf-b8a2-38e70a020105 |
| id | 476dfe06-07f0-404b-8e92-aae953257af9 |
| name | f2 |
| status | PENDING_CREATE |
| tenant_id | bf4fbb928d574829855ebfd9e5d0e58c |
+--------------------+--------------------------------------+
root@IGA-OSC:~# fwu f2 --shared true --------------------------------------------------------------------> able to update
Updated firewall: f2
root@IGA-OSC:~# fws f2
+--------------------+--------------------------------------+
| Field | Value |
+--------------------+--------------------------------------+
| admin_state_up | True |
| description | |
| firewall_policy_id | 7436f673-e1e8-4acf-b8a2-38e70a020105 |
| id | 476dfe06-07f0-404b-8e92-aae953257af9 |
| name | f2 |
| status | ACTIVE |
| tenant_id | bf4fbb928d574829855ebfd9e5d0e58c |
+--------------------+--------------------------------------+

Actual Results:
Able to update the shared attribute of tenant's firewall
Expected Results:
tenant's firewall should not be able to update the shared attribute

Tags: api fwaas
Eugene Nikanorov (enikanorov)
Changed in neutron:
importance: Undecided → Medium
tags: added: fwaas
Eugene Nikanorov (enikanorov)
Changed in neutron:
status: New → Confirmed
importance: Medium → High
assignee: nobody → Eugene Nikanorov (enikanorov)
tags: added: api
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/95953

Changed in neutron:
status: Confirmed → In Progress
Kyle Mestery (mestery)
Changed in neutron:
milestone: none → juno-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/95953
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=0f7cfee155c0e3e216b4a1425ec1fbdde6eeb296
Submitter: Jenkins
Branch: master

commit 0f7cfee155c0e3e216b4a1425ec1fbdde6eeb296
Author: Eugene Nikanorov <email address hidden>
Date: Wed May 28 02:08:17 2014 +0400

    Disallow regular user to update firewall's shared attribute

    Shared firewalls should only be operable by admins.
    Currently only admin can provide shared attribute at firewall creation,
    so update_firewall should be consistent with that as well.

    Change-Id: I093743514637824207b375d724404d51f778d012
    Closes-Bug: #1323322

Changed in neutron:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in neutron:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in neutron:
milestone: juno-1 → 2014.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.