Tenants could potentially modify rules from not owned policies
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Undecided
|
yong sheng gong |
Bug Description
In configurations where the policy creation is left open to the tenants by policy.json modification, this is possible:
a) Admin creates policy A, attaches Rule X
b) tenant creates policy B, modifies rule X via API.
AS ADMIN:
[vagrant@devstack ~]$ source ~/devstack/
[vagrant@devstack ~]$ neutron qos-policy-create A --description "policy A"
Created a new policy:
+------
| Field | Value |
+------
| description | policy A |
| id | 98134993-
| name | A |
| rules | |
| shared | False |
| tenant_id | 1556829297534c3
+------
[vagrant@devstack ~]$ neutron qos-bandwidth-
Created a new bandwidth_
+------
| Field | Value |
+------
| id | 4a548459-
| max_burst_kbps | 0 |
| max_kbps | 100 |
+------
AS REGULAR TENANT:
[vagrant@devstack ~]$ source ~/devstack/
[vagrant@devstack ~]$ neutron qos-policy-create B --description "policy B"
Created a new policy:
+------
| Field | Value |
+------
| description | policy B |
| id | 2ec2b6e2-
| name | B |
| rules | |
| shared | False |
| tenant_id | c931dc21a7a241f
+------
[vagrant@devstack ~]$ neutron qos-bandwidth-
Updated bandwidth_
[vagrant@devstack ~]$ neutron qos-bandwidth-
+------
| Field | Value |
+------
| id | 4a548459-
| max_burst_kbps | 0 |
| max_kbps | 222 |
+------
Changed in neutron: | |
assignee: | nobody → yong sheng gong (gongysh) |
Changed in neutron: | |
milestone: | none → liberty-3 |
status: | Fix Committed → Fix Released |
Changed in neutron: | |
milestone: | liberty-3 → 7.0.0 |
Fix proposed to branch: master /review. openstack. org/216603
Review: https:/