OpenStack Compute (nova)

Unauthorized user can release floating_ips

Bug #855115 reported by Ray Hookway
272
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
High
Ray Hookway
OpenStack Compute (nova) 2011.3 "diablo"

Bug Description

EC2 commands which manipulate floating_ips do not check that the user is associated with the project to which the address belongs. For example, ReleaseAddress can be used by a user who is a netadmin in one project to release an address which has been allocated to a second project of which the user is not a member. (See EC2 comment in floating_ip_deallocate: # TODO (devcamcar): How to ensure floating id belongs to user)

See original description

Related branches

lp:~cbehrens/nova/milestone-proposed.lp855115
Thierry Carrez: Approve
Diff: 174 lines (+68/-12)
5 files modified
nova/api/ec2/__init__.py (+4/-0)
nova/api/openstack/contrib/floating_ips.py (+6/-1)
nova/db/sqlalchemy/api.py (+11/-10)
nova/tests/api/openstack/contrib/test_floating_ips.py (+1/-1)
nova/tests/test_network.py (+46/-0)
lp:~cbehrens/nova/lp855115
Vish Ishaya (community): Approve
Paul Voccio (community): Approve
Kevin L. Mitchell (community): Approve
Diff: 175 lines (+68/-12)
5 files modified
nova/api/ec2/__init__.py (+4/-0)
nova/api/openstack/contrib/floating_ips.py (+6/-1)
nova/db/sqlalchemy/api.py (+11/-10)
nova/tests/api/openstack/contrib/test_floating_ips.py (+1/-1)
nova/tests/test_network.py (+46/-0)
Vish Ishaya (vishvananda)
Changed in nova:
milestone: none → 2011.3
importance: Undecided → High
status: New → In Progress
assignee: nobody → Ray Hookway (rjh)
Ray Hookway (rjh)
description: updated
Revision history for this message
Ray Hookway (rjh) wrote :

The attached file is a patch that we are applying to our Diablo-2 based environment. We have tested the patch in our environment and believe it will work against the trunk, but haven't been able to test it there. We have confirmed that the patch applies cleanly to the trunk except for the tests. (The order of the tests has changed.)

description: updated
Ray Hookway (rjh)
summary: - Unauthorized user can release fixed_ips
+ Unauthorized user can release floating_ips
Revision history for this message
Chris Behrens (cbehrens) wrote :

Had to fight a little bit to get the test correct as the network code has changed a ton. But, I got this merge propped for both diablo's release branch and for trunk.

Revision history for this message
Ray Hookway (rjh) wrote : RE: [Bug 855115] Re: Unauthorized user can release floating_ips

Chris,

Thanks for doing taking care of this. Next time I hope we can be more helpful.

-Ray

-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of Chris Behrens
Sent: Wednesday, September 21, 2011 4:27 PM
To: Hookway, Ray
Subject: [Bug 855115] Re: Unauthorized user can release floating_ips

Had to fight a little bit to get the test correct as the network code
has changed a ton. But, I got this merge propped for both diablo's
release branch and for trunk.

--
You received this bug notification because you are subscribed to the bug
report.
https://bugs.launchpad.net/bugs/855115

Title:
  Unauthorized user can release floating_ips

Status in OpenStack Compute (Nova):
  In Progress

Bug description:
  EC2 commands which manipulate floating_ips do not check that the user
  is associated with the project to which the address belongs. For
  example, ReleaseAddress can be used by a user who is a netadmin in one
  project to release an address which has been allocated to a second
  project of which the user is not a member. (See EC2 comment in
  floating_ip_deallocate: # TODO (devcamcar): How to ensure floating id
  belongs to user)

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/855115/+subscriptions

OpenStack Infra (hudson-openstack)
Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
visibility: private → public
Revision history for this message
Phil Day (philip-day) wrote :

Thanks Chris - really appreciate your work on helping us with this.

Phil

-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of Chris Behrens
Sent: 21 September 2011 21:27
To: Day, Phil
Subject: [Bug 855115] Re: Unauthorized user can release floating_ips

Had to fight a little bit to get the test correct as the network code
has changed a ton. But, I got this merge propped for both diablo's
release branch and for trunk.

--
You received this bug notification because you are subscribed to the bug
report.
https://bugs.launchpad.net/bugs/855115

Title:
  Unauthorized user can release floating_ips

Status in OpenStack Compute (Nova):
  In Progress

Bug description:
  EC2 commands which manipulate floating_ips do not check that the user
  is associated with the project to which the address belongs. For
  example, ReleaseAddress can be used by a user who is a netadmin in one
  project to release an address which has been allocated to a second
  project of which the user is not a member. (See EC2 comment in
  floating_ip_deallocate: # TODO (devcamcar): How to ensure floating id
  belongs to user)

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/855115/+subscriptions

Thierry Carrez (ttx)
Changed in nova:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.