OpenContrail

Non admin users can modify config in Contrail UI

Bug #1321475 reported by Abhishek Chanda on 2014-05-20

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenContrail	Fix Committed	High	Deepinder Setia

Bug Description

1) log into Contrail UI as any tenant that does not have admin privilages
2) User can edit/change BGP peers and other settings

Tags:

Revision history for this message

Abhishek Chanda (abhishek-i) wrote on 2014-06-04:

Any thoughts on this?

Abhishek Chanda (abhishek-i) on 2014-06-19

information type:

Private Security → Public Security

Revision history for this message

Pedro Marques (5-roque) wrote on 2014-09-20:

We need to flip the defaults such that multi tenancy is always on unless explicitly disabled.
If request authentication is off then neither the contrail api server or contrail web-ui can be exposed to anyone other than an admin user.

Assuming multi-tenancy is enabled we need to verify that system objects are owned by an admin user and not modifiable.

Changed in opencontrail:
assignee:	nobody → Deepinder Setia (dsetia)
importance:	Undecided → High
tags:	added: api-server
tags:	added: contrail-api removed: api-server

Revision history for this message

Pedro Marques (5-roque) wrote on 2014-10-15:

The following commit should address this concern:
https://review.opencontrail.org/#/c/3468/

Changed in opencontrail:
status:	New → Fix Committed

Nagabhushana R (bhushana) on 2014-10-28

tags:

added: config

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.