Ceilometer alarm-threshold-update CLI does not support updating project-id, user-id and time-constraint fields of alarm but listed as valid options for alarm update.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-ceilometerclient |
Fix Released
|
Undecided
|
Jiri Suchomel |
Bug Description
ceilometer alarm-threshold
ceilometer help alarm-threshold
usage: ceilometer alarm-threshold
There are multiple issues with above CLI.
1) user provided options are not parsed and updated properly before they were sent to API call
2) Even if project-
UPDATABLE_
'name',
'description',
'type',
'state',
'enabled',
'alarm_
'ok_actions',
'insufficie
'repeat_
'threshold_
'combinatio
]
def update(self, alarm_id, **kwargs):
alarm = self.get(alarm_id)
if alarm is None:
raise exc.CommandErro
updated = alarm.to_dict()
kwargs = dict((k, v) for k, v in kwargs.items()
return self._update(
3. I can update the project-id.. params using curl but this should be restricted if CLI's restriction of project-
curl -i -X PUT -H 'User-Agent: ceilometerclien
{"meter_name": "image", "evaluation_
, "alarm_id": "161b60ed-
pchalla@
-------
Property Value
-------
alarm_actions []
alarm_id 161b60ed-
comparison_operator eq
description test alarm created with project id
enabled True
evaluation_periods 1
exclude_outliers False
insufficient_
meter_name image
name alarm1
ok_actions []
period 60
project_id 5ffead616e7a494
query
repeat_actions False
state insufficient data
statistic avg
threshold 20.0
type threshold
user_id ea9817c1e4d2468
information type: | Private Security → Public |
Changed in ceilometer: | |
assignee: | nobody → ZhiQiang Fan (aji-zqfan) |
affects: | ceilometer → python-ceilometerclient |
Changed in python-ceilometerclient: | |
status: | New → In Progress |
Changed in python-ceilometerclient: | |
milestone: | none → 1.3.0 |
status: | Fix Committed → Fix Released |
Was this intentionally marked as a private security vulnerability report? If not, it should be switched to a normal public bug so that the Ceilometer developers will be able to see it.