[API] Filtering by fields not allowed to see is possible for regular users

Bug #1884067 reported by Slawek Kaplonski
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Confirmed
High
vinay harsha mitta

Bug Description

It seems that regular user, even if can't see binding:host_id field for the port can filter based on this field:

neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+--------------------------------------+
| id |
+--------------------------------------+
| 79949e8d-98dc-4fba-8897-c85a2bf89da7 |
| 7b91b484-4a9d-4160-84f7-bf1aed35d42a |
| 92023b4e-11bd-42be-a60d-609dc237873d |
| d987e708-1439-411d-848c-15a918ec3198 |
+--------------------------------------+

 [stack@undercloud-0 ~]$ neutron port-list --binding:host_id compute-1.redhat.local
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+--------------------------------------+------+-------------------+----------------------------------------------------------------------------------------+
| id | name | mac_address | fixed_ips |
+--------------------------------------+------+-------------------+----------------------------------------------------------------------------------------+
| 7b91b484-4a9d-4160-84f7-bf1aed35d42a | | fa:16:3e:38:fe:b6 | {"subnet_id": "da9e51d0-a9a5-43ee-8ae1-d79bbfd9ee71", "ip_address": "192.168.100.151"} |
+--------------------------------------+------+-------------------+----------------------------------------------------------------------------------------+
 [stack@undercloud-0 ~]$ neutron port-list --binding:host_id compute-0.redhat.local
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.

Tags: api
Changed in neutron:
assignee: nobody → vinay harsha mitta (vinay7)
Revision history for this message
vinay harsha mitta (vinay7) wrote :

Hi adding my understanding here regarding this bug, please let me know if i miss something:
With reference to this[1] i could understand that a regular user's response doesn't contain binding-opt,
but a admin do[2], so a regular user should be restricted with that filtering field.

reproduced in my single host env:http://paste.openstack.org/show/798593/

[1] : https://docs.openstack.org/api-ref/network/v2/index.html?expanded=list-ports-detail#id70

[2] : https://docs.openstack.org/api-ref/network/v2/index.html?expanded=list-ports-detail#id71

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.