[OSSA 2013-024] nova should check the is_public of flavor when creating an instance
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Critical
|
Russell Bryant | ||
Grizzly |
Fix Released
|
Critical
|
Russell Bryant | ||
OpenStack Security Advisory |
Fix Released
|
High
|
Thierry Carrez |
Bug Description
If creating a flavor with is_public "false", the flavor should be accessible only by admin or user who is granted to access.
Now "get flavor details" API checks the is_public of flavor but "create an instance" API does not check.
In the following case, a user (not admin) cannot access non-public flavor through "get flavor details" API, this is right behavior.
However, he can access non-public flavor through "create an instance" API.
=== admin =======
$ nova flavor-create --is-public false private-flavor 6 512 0 1
+----+-
| ID | Name | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor | Is_Public |
+----+-
| 6 | private-flavor | 512 | 0 | 0 | | 1 | 1.0 | False |
+----+-
$
$ curl -i http://
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 428
X-Compute-
Date: Wed, 14 Aug 2013 09:38:10 GMT
{"flavor": {"name": "m1.xlarge", "links": [{"href": "http://
$
=== user("demo" user on devstack) =======
$ nova flavor-list
+----+-
| ID | Name | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor | Is_Public |
+----+-
| 1 | m1.tiny | 512 | 1 | 0 | | 1 | 1.0 | True |
| 2 | m1.small | 2048 | 20 | 0 | | 1 | 1.0 | True |
| 3 | m1.medium | 4096 | 40 | 0 | | 2 | 1.0 | True |
| 4 | m1.large | 8192 | 80 | 0 | | 4 | 1.0 | True |
| 42 | m1.nano | 64 | 0 | 0 | | 1 | 1.0 | True |
| 5 | m1.xlarge | 16384 | 160 | 0 | | 8 | 1.0 | True |
| 84 | m1.micro | 128 | 0 | 0 | | 1 | 1.0 | True |
+----+-
$
$ curl -i http://
HTTP/1.1 404 Not Found
Content-Length: 78
Content-Type: application/json; charset=UTF-8
X-Compute-
Date: Wed, 14 Aug 2013 09:36:52 GMT
{"itemNotFound": {"message": "The resource could not be found.", "code": 404}}
$
$ curl -i http://
HTTP/1.1 202 Accepted
Location: http://
Content-Type: application/json
Content-Length: 440
X-Compute-
Date: Wed, 14 Aug 2013 09:41:50 GMT
{"server": {"security_groups": [{"name": "default"}], "OS-DCF:
$ nova list
+------
| ID | Name | Status | Task State | Power State | Networks |
+------
| 91407b32-
+------
$
CVE References
Changed in nova: | |
assignee: | nobody → Ken'ichi Ohmichi (oomichi) |
status: | New → In Progress |
Changed in nova: | |
importance: | Undecided → Critical |
Changed in nova: | |
milestone: | none → havana-3 |
Changed in ossa: | |
importance: | Undecided → High |
status: | Incomplete → Confirmed |
Changed in nova: | |
assignee: | Ken'ichi Ohmichi (oomichi) → Russell Bryant (russellb) |
Changed in ossa: | |
status: | Triaged → In Progress |
status: | In Progress → Fix Committed |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
summary: |
- nova should check the is_public of flavor when creating an instance + [OSSA 2013-024] nova should check the is_public of flavor when creating + an instance |
Changed in nova: | |
status: | Fix Committed → Fix Released |
Changed in nova: | |
milestone: | havana-3 → 2013.2 |
no longer affects: | nova/folsom |
Since the other instance of this problem resulted in issuing an advisory (OSSA 2013-019), I'm assuming this one warrants one as well. Opinions?