neutron

Users cannot create extra-routes with nexthop on ext-net

Bug #1538767 reported by Cedric Brandily
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Medium
Cedric Brandily
neutron mitaka-3 "m3"
openstack-api-site
Invalid
Undecided
Unassigned

Bug Description

Non-admin users cannot create extra-routes on a router with a nexthop on ext-net subnet:

  # With admin user
  neutron net-create pub --router-:external
  neutron subnet-create pub 192.168.0.0/16

  # With non-admin user
  neutron router-create router
  neutron router-gateway-set router pub
  neutron router-update router --routes nexthop=192.168.0.99,destination=10.10.10.0/24
  >> Invalid format for routes: [{u'destination': u'10.10.10.0/24', u'nexthop': u'192.168.0.99'}], the nexthop is not connected with router

But it succeeds with an admin user.

nexthop validation gets all ports connected to the router to check if nexthop is on a subnet connected to the router BUT non-admin users are only allowed to get internal ports!

Tags: l3-ipam-dhcp
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/273278

Changed in neutron:
status: New → In Progress
Miguel Lavalle (minsel)
Changed in neutron:
importance: Undecided → Medium
Cedric Brandily (cbrandily)
Changed in neutron:
milestone: none → mitaka-3
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/273278
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=3d5d378769f0715e3254ac00b6f091a6f9f6960b
Submitter: Jenkins
Branch: master

commit 3d5d378769f0715e3254ac00b6f091a6f9f6960b
Author: Cedric Brandily <email address hidden>
Date: Wed Jan 27 23:58:18 2016 +0100

    Allow non-admins to define "external" extra-routes

    Currently non-admin users can create extra-routes when the nexthop is on
    router-interfaces subnets but not on external-network subnet. Indeed
    user permissions are used to get router ports in order to validate
    nexthops BUT non-admin users don't "see" router port on its external
    network.

    This change uses an elevated context instead of user context to enable
    non-admins to create "external" extra-routes.

    APIImpact
    Closes-Bug: #1538767
    Change-Id: I08b1d8586a4cd241a3589e8cb7151b77ab679124

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
Thierry Carrez (ttx) wrote : Fix included in openstack/neutron 8.0.0.0b3

This issue was fixed in the openstack/neutron 8.0.0.0b3 development milestone.

Dariusz Smigiel (smigiel-dariusz)
Changed in openstack-api-site:
status: New → Invalid
status: Invalid → New
Dariusz Smigiel (smigiel-dariusz)
Changed in openstack-api-site:
status: New → Invalid
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/290184

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (master)

Reviewed: https://review.openstack.org/290184
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=22aed6d8061cc609da2351df23b6f5ef40ca8358
Submitter: Jenkins
Branch: master

commit 22aed6d8061cc609da2351df23b6f5ef40ca8358
Author: Shih-Hao Li <email address hidden>
Date: Thu Mar 10 00:22:45 2016 -0800

    Fix the context passed to get_subnets in _validate_routes

    In the patch for bug #1538767 (https://review.openstack.org/#/c/273278),
    get_ports() is passed with context.elevated(), while later get_subnet()
    for those ports is still passed with the original context. This could
    cause "Subnet could not be found" exception for ports only accessible
    in context.elevated() but not in the original context.

    This commit replaces context with context.elevated() in get_subnet().

    Related-Bug: #1538767
    Change-Id: I21e73625e0a625a431bfb22f847c3b6f9671daea

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/liberty)

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/291694

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (stable/liberty)

Related fix proposed to branch: stable/liberty
Review: https://review.openstack.org/291696

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (stable/liberty)

Change abandoned by Cedric Brandily (<email address hidden>) on branch: stable/liberty
Review: https://review.openstack.org/291694
Reason: Bring a security concern for the one using routing to secure things (...)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Change abandoned by Cedric Brandily (<email address hidden>) on branch: stable/liberty
Review: https://review.openstack.org/291696
Reason: Bring a security concern for the one using routing to secure things (...)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.