Nova calls into neutron as admin circumventing fixed-ip on shared network
Bug #1233335 reported by
Aaron Rosen
This bug affects 3 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Opinion
|
Wishlist
|
Unassigned |
Bug Description
In Neutron on shared networks the default policy is to not allow tenants from specifying their own fixed ips. This is done so that one cannot deliberately try to imposter another tenant's instance after it has been deleted. The reason is working is because nova is calling into neutron as admin.
$quantum port-create --fixed-ip ip_address=
{"NeutronError": "Policy doesn't allow create_port to be performed."}
^Fails
$ nova boot --image cirros-
^Succeeds
Marking as a security vulnerability though it's probably not really a big deal.
tags: | added: network |
Changed in nova: | |
status: | New → Confirmed |
information type: | Private Security → Public |
Changed in nova: | |
assignee: | Aaron Rosen (arosen) → nobody |
Changed in neutron: | |
status: | New → Triaged |
importance: | Undecided → High |
tags: | added: l3-ipam-dhcp nova-neutron |
Changed in neutron: | |
assignee: | nobody → Eugene Nikanorov (enikanorov) |
Changed in neutron: | |
assignee: | Eugene Nikanorov (enikanorov) → nobody |
To post a comment you must log in.
Unfortinately, there doesn't seem to be an easy way to fix this. If a plugin has the port-bindings extension loaded nova-compute needs to call into neutron ad admin to set these values. Probably a nothing reason why creating the port on the nova-compute node is a bad idea...