neutron

FWaaS - Missing tenant_id validation between firewall and firewall_policy in creating/updating firewall

Bug #1446074 reported by Yushiro FURUKAWA
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Low
Sean M. Collins
neutron 7.0.0 "liberty"

Bug Description

In creating/updating firewall, it is not implemented tenant_id check in validation.
Therefore, when executing following operation with admin privilege,
the error continues to tracing into neutron's log even the firewall has created.

[Operation]
1. Create firewall-policy(shared=False) in alt_demo tenant.
  $ source devstack/openrc alt_demo alt_demo
2. Change privilege from alt_demo to admin(in demo tenant)
  $ source devstack/openrc admin demo
3. Create firewall using firweall-policy in alt_demo tenant.
  $ neutron firewall-create <firewall-policy-in-alt_demo> --name my_fw

[Result]
Created a new firewall:
+--------------------+--------------------------------------+
| Field | Value |
+--------------------+--------------------------------------+
| admin_state_up | True |
| description | |
| firewall_policy_id | 40648e44-2175-4ad7-b190-93179900ac63 |
| id | fff7cbc0-1896-4b6c-8dee-633df68624c2 |
| name | my_fw |
| router_ids | cab4d01f-053b-4e07-a764-d829e66a3f6e |
| status | PENDING_CREATE |
| tenant_id | 65ecf5dfa6f8484f81027d3b25af1dbc |
+--------------------+--------------------------------------+

[Error log] continues to tracing...
ERROR oslo_messaging.rpc.dispatcher [req-bedc6d68-268d-4be0-8e68-9c14bf659390 None 65ecf5dfa6f8484f81027d3b25af1dbc] Exception during message handling: Firewall Policy 40648e44-2175-4ad7-b190-93179900ac63 could not be found.
TRACE oslo_messaging.rpc.dispatcher Traceback (most recent call last):
TRACE oslo_messaging.rpc.dispatcher File "/usr/local/lib/python2.7/dist-packages/oslo_messaging/rpc/dispatcher.py", line 142, in _dispatch_and_reply
TRACE oslo_messaging.rpc.dispatcher executor_callback))
TRACE oslo_messaging.rpc.dispatcher File "/usr/local/lib/python2.7/dist-packages/oslo_messaging/rpc/dispatcher.py", line 186, in _dispatch
TRACE oslo_messaging.rpc.dispatcher executor_callback)
TRACE oslo_messaging.rpc.dispatcher File "/usr/local/lib/python2.7/dist-packages/oslo_messaging/rpc/dispatcher.py", line 130, in _do_dispatch
TRACE oslo_messaging.rpc.dispatcher result = func(ctxt, **new_args)
TRACE oslo_messaging.rpc.dispatcher File "/opt/stack/neutron-fwaas/neutron_fwaas/services/firewall/fwaas_plugin.py", line 85, in get_firewalls_for_tenant
TRACE oslo_messaging.rpc.dispatcher context, fw['id'])
TRACE oslo_messaging.rpc.dispatcher File "/opt/stack/neutron-fwaas/neutron_fwaas/db/firewall/firewall_db.py", line 169, in _make_firewall_dict_with_rules
TRACE oslo_messaging.rpc.dispatcher fw_policy = self.get_firewall_policy(context, fw_policy_id)
TRACE oslo_messaging.rpc.dispatcher File "/opt/stack/neutron-fwaas/neutron_fwaas/db/firewall/firewall_db.py", line 395, in get_firewall_policy
TRACE oslo_messaging.rpc.dispatcher fwp = self._get_firewall_policy(context, id)
TRACE oslo_messaging.rpc.dispatcher File "/opt/stack/neutron-fwaas/neutron_fwaas/db/firewall/firewall_db.py", line 103, in _get_firewall_policy
TRACE oslo_messaging.rpc.dispatcher raise fw_ext.FirewallPolicyNotFound(firewall_policy_id=id)
TRACE oslo_messaging.rpc.dispatcher FirewallPolicyNotFound: Firewall Policy 40648e44-2175-4ad7-b190-93179900ac63 could not be found.
TRACE oslo_messaging.rpc.dispatcher
ERROR oslo_messaging._drivers.common [req-bedc6d68-268d-4be0-8e68-9c14bf659390 None 65ecf5dfa6f8484f81027d3b25af1dbc] Returning exception Firewall Policy 40648e44-2175-4ad7-b190-93179900ac63 could not be found. to caller
ERROR oslo_messaging._drivers.common [req-bedc6d68-268d-4be0-8e68-9c14bf659390 None 65ecf5dfa6f8484f81027d3b25af1dbc] ['Traceback (most recent call last):\n', ' File "/usr/local/lib/python2.7/dist-packages/oslo_messaging/rpc/dispatcher.py", line 142, in _dispatch_and_reply\n executor_callback))\n', ' File "/usr/local/lib/python2.7/dist-packages/oslo_messaging/rpc/dispatcher.py", line 186, in _dispatch\n executor_callback)\n', ' File "/usr/local/lib/python2.7/dist-packages/oslo_messaging/rpc/dispatcher.py", line 130, in _do_dispatch\n result = func(ctxt, **new_args)\n', ' File "/opt/stack/neutron-fwaas/neutron_fwaas/services/firewall/fwaas_plugin.py", line 85, in get_firewalls_for_tenant\n context, fw[\'id\'])\n', ' File "/opt/stack/neutron-fwaas/neutron_fwaas/db/firewall/firewall_db.py", line 169, in _make_firewall_dict_with_rules\n fw_policy = self.get_firewall_policy(context, fw_policy_id)\n', ' File "/opt/stack/neutron-fwaas/neutron_fwaas/db/firewall/firewall_db.py", line 395, in get_firewall_policy\n fwp = self._get_firewall_policy(context, id)\n', ' File "/opt/stack/neutron-fwaas/neutron_fwaas/db/firewall/firewall_db.py", line 103, in _get_firewall_policy\n raise fw_ext.FirewallPolicyNotFound(firewall_policy_id=id)\n', 'FirewallPolicyNotFound: Firewall Policy 40648e44-2175-4ad7-b190-93179900ac63 could not be found.\n']

Yushiro FURUKAWA (y-furukawa-2)
Changed in neutron:
assignee: nobody → Yushiro FURUKAWA (y-furukawa-2)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-fwaas (master)

Fix proposed to branch: master
Review: https://review.openstack.org/175394

Kyle Mestery (mestery)
Changed in neutron:
milestone: none → liberty-1
importance: Undecided → Low
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron-fwaas (master)

Reviewed: https://review.openstack.org/175394
Committed: https://git.openstack.org/cgit/openstack/neutron-fwaas/commit/?id=ac12fe19e2845a2459b70deaef85915ad450419c
Submitter: Jenkins
Branch: master

commit ac12fe19e2845a2459b70deaef85915ad450419c
Author: Yushiro FURUKAWA <email address hidden>
Date: Tue Apr 21 10:43:09 2015 +0900

    Insert tenant_id validation for fw and fw-policy

    This commit adds the validation when creating/updating the firewall.
    It checks "tenant_id" of firewall and firewall-policy.

    Closes-Bug: #1446074
    Depends-On: I836d89d077ca25631269604d944485d100281411
    Change-Id: I58f4a31858857ddf40a028b20711376bb194f57d

Changed in neutron:
status: In Progress → Fix Committed
Revision history for this message
Cedric Brandily (cbrandily) wrote :

https://review.openstack.org/175394 reverted as it breaks firewall-update

Changed in neutron:
status: Fix Committed → In Progress
assignee: Yushiro FURUKAWA (y-furukawa-2) → Cedric Brandily (cbrandily)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-fwaas (master)

Fix proposed to branch: master
Review: https://review.openstack.org/189946

Thierry Carrez (ttx)
Changed in neutron:
milestone: liberty-1 → liberty-2
Thierry Carrez (ttx)
Changed in neutron:
milestone: liberty-2 → liberty-3
OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: Cedric Brandily (cbrandily) → Sean M. Collins (scollins)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron-fwaas (master)

Reviewed: https://review.openstack.org/189946
Committed: https://git.openstack.org/cgit/openstack/neutron-fwaas/commit/?id=5ee364981dda7aff1605c934ff0768940e76f1d8
Submitter: Jenkins
Branch: master

commit 5ee364981dda7aff1605c934ff0768940e76f1d8
Author: Cedric Brandily <email address hidden>
Date: Tue Jun 9 22:24:19 2015 +0200

    Validate tenant_id between firewall and firewall-policy

    This change ensures that on firewall create/update, the
    firewall-policy (if provided) is shared, or belongs to firewall tenant.

    Change-Id: I71f0bd3f07609f0e4c13f3e717f750fdefd21e05
    Closes-Bug: #1446074

Changed in neutron:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in neutron:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in neutron:
milestone: liberty-3 → 7.0.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.