tenants seem like they were able to detach admin enforced QoS policies from ports or networks

Bug #1486607 reported by Miguel Angel Ajo
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Medium
Nate Johnston

Bug Description

NOTE: Even if the API responds with "ok" to the port update, it's not really changing the admin enforced policy, we should just provide a better
error / response code.

If the CSP is using manually tagging specific tenant networks to follow specific qos profiles, a tenant could use

neutron port-update <port-id> --no-qos-policy

or

neutron net-update <net-id> --no-qos-policy

It will seem like if the port or net was correctly updated, but it isn't. We can lower the importance of this bug to low/medium.

Tags: qos
Revision history for this message
changzhi (changzhi) wrote :

Even admin tenant can not update other tenant's resource?

Changed in neutron:
assignee: nobody → yong sheng gong (gongysh)
Revision history for this message
Miguel Angel Ajo (mangelajo) wrote :

admin should be able to do it, but not tenants (when it's not their own policy).

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/217092

Changed in neutron:
status: New → In Progress
Changed in neutron:
assignee: yong sheng gong (gongysh) → Tong Li (litong01)
Changed in neutron:
assignee: Tong Li (litong01) → yong sheng gong (gongysh)
Kyle Mestery (mestery)
Changed in neutron:
milestone: none → liberty-rc1
importance: Undecided → High
Kyle Mestery (mestery)
Changed in neutron:
milestone: liberty-rc1 → mitaka-1
summary: - tenants are able to detach admin enforced QoS policies from ports or
- networks
+ tenants seem like they were able to detach admin enforced QoS policies
+ from ports or networks
description: updated
description: updated
Changed in neutron:
importance: High → Low
Changed in neutron:
milestone: mitaka-1 → mitaka-2
Changed in neutron:
milestone: mitaka-2 → mitaka-3
Changed in neutron:
milestone: mitaka-3 → mitaka-rc1
Changed in neutron:
milestone: mitaka-rc1 → none
assignee: yong sheng gong (gongysh) → nobody
status: In Progress → Incomplete
importance: Low → Undecided
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (master)

Change abandoned by Armando Migliaccio (<email address hidden>) on branch: master
Review: https://review.openstack.org/217092
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

If you are still working on this please resume, or allow someone else to pick this up.

Changed in neutron:
status: Incomplete → Confirmed
importance: Undecided → Low
Changed in neutron:
importance: Low → Medium
assignee: nobody → Nate Johnston (nate-johnston)
tags: added: mitaka-backport-potential
tags: added: liberty-backport-potentiall
Changed in neutron:
status: Confirmed → In Progress
Changed in neutron:
assignee: Nate Johnston (nate-johnston) → Margaret Frances (margaret-frances)
Changed in neutron:
assignee: Margaret Frances (margaret-frances) → Nate Johnston (nate-johnston)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/217092
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=4ec6932c93764fd7731928f1faa24b6c88fa9493
Submitter: Jenkins
Branch: master

commit 4ec6932c93764fd7731928f1faa24b6c88fa9493
Author: Tong Li <email address hidden>
Date: Tue Sep 15 17:23:42 2015 -0400

    Respond negatively to tenant detachment of enforced QoS policies

    Currently when the tenant attempts to detach an enforced QoS policy
    for a port or network set by admin, the attempt fails but the API
    feedback indicates that it was successful. This change will
    fix the API response so the failure is accurately signalled
    to the tenant.

    Co-Authored-By: litong01 <email address hidden>
    Co-Authored-By: gong yong sheng <gong.yongsheng@99cloud.net>
    Co-Authored-By: Nate Johnston <email address hidden>
    Co-Authored-By: Margaret Frances <email address hidden>

    Change-Id: I977feecc6cce378abc1e6092afbaf9f2681b2ec6
    Closes-bug: #1486607

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/neutron 9.0.0.0b2

This issue was fixed in the openstack/neutron 9.0.0.0b2 development milestone.

Revision history for this message
Ihar Hrachyshka (ihar-hrachyshka) wrote :

Mitaka is now critical/CVE only.

tags: removed: liberty-backport-potentiall
tags: removed: mitaka-backport-potential
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.