Require admin context for interfaces on ext network
Currently any user can attach an interface to a neutron
external network, if the neutron plugin supports the port
binding extension.
In this case, nova will create neutron ports using the admin
client, thus bypassing neutron authZ checks for creating ports
on external networks.
This patch adds a check in nova to verify the API request has an
admin context when a request for an interface is made on a
neutron external network.
Conflicts:
nova/exception.py
Change-Id: I5fb0bdcbf19eb82746ea3b192c1f65899bfb3c0b
Closes-Bug: 1284718
(cherry picked from commit 7d1b4117fda7709307a35e56625cfa7709a6b795)
Reviewed: https:/ /review. openstack. org/110476 /git.openstack. org/cgit/ openstack/ nova/commit/ ?id=1b69111f07d e241b2cf80ea37e 6fa09fcb959655
Committed: https:/
Submitter: Jenkins
Branch: stable/havana
commit 1b69111f07de241 b2cf80ea37e6fa0 9fcb959655
Author: Salvatore Orlando <email address hidden>
Date: Thu Apr 3 14:54:11 2014 -0700
Require admin context for interfaces on ext network
Currently any user can attach an interface to a neutron
external network, if the neutron plugin supports the port
binding extension.
In this case, nova will create neutron ports using the admin
client, thus bypassing neutron authZ checks for creating ports
on external networks.
This patch adds a check in nova to verify the API request has an
admin context when a request for an interface is made on a
neutron external network.
Conflicts: exception. py
nova/
Change-Id: I5fb0bdcbf19eb8 2746ea3b192c1f6 5899bfb3c0b 307a35e56625cfa 7709a6b795)
Closes-Bug: 1284718
(cherry picked from commit 7d1b4117fda7709