[RFE] Add attribute to the a port that lists the UUIDs of other ports that the port is allowed to impersonate
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Won't Fix
|
Wishlist
|
Dongcan Ye |
Bug Description
=======
Advanced policy for address pair
=======
The allowed address pair extension extends the port attribute to enable you to
specify arbitrary mac_address/
through a port regardless of the subnet associated with the network.
The allowed address pairs is typically used for specify a moving or virtual
IP between a HA server pair.
Problem Description
===================
An end user can only create ports with allowed address pairs on non owned
networks (shared or provider) with elevated privileges. With elevated
privileges it is possible to use any IP or MAC address. This poses a
significant security risk, because the attacker may abuse this privilege
for DoS or man in middle attacks.
Proposed Change ===============
Extend the currently existing policy with a rule that allows an user to
create or update a port with allowed address pairs to already allocated
IP / MAC addresses.
summary: |
- advanved policy for allowed addres pais + advanved policy for allowed addres pairs |
Changed in neutron: | |
status: | New → Confirmed |
importance: | Undecided → Wishlist |
summary: |
- advanved policy for allowed addres pairs + [RFE] advanced policy for allowed addres pairs |
Changed in neutron: | |
status: | Incomplete → Triaged |
tags: |
added: rfe-approved removed: rfe |
summary: |
- [RFE] advanced policy for allowed addres pairs + [RFE] Add attribute to the a prot that lists the UUIDs of other ports + that the port is allowed to impersonate |
summary: |
- [RFE] Add attribute to the a prot that lists the UUIDs of other ports + [RFE] Add attribute to the a port that lists the UUIDs of other ports that the port is allowed to impersonate |
Changed in neutron: | |
assignee: | nobody → Dongcan Ye (hellochosen) |
You mean you want to limit the user to be able to add IP/MAC pairs only if they match MAC/IPs assigned to existing neutron ports that he/she owns?