Ask Your Question
0

tenantA can add other tenants' subnets to his router

asked 2013-01-07 11:37:48 -0500

kong gravatar image

I made a experiment on my machine, ant the result is amazing.

  1. I have a userrc file with contents below: root@controller:~# vi /root/userrc export OS_TENANT_NAME=project_one export OS_USERNAME=user_one export OS_PASSWORD=user_one export OS_AUTH_URL="http://localhost:5000/v2.0/" export SERVICE_ENDPOINT="http://localhost:35357/v2.0"

  2. there are two tenants: root@controller:~# keystone tenant-list +----------------------------------+--------------------+---------+ | id | name | enabled | +----------------------------------+--------------------+---------+ | 60e580365e804459a3e79a788ea36971 | demo | True | | 678d0215c86a40f595f53b06beeec590 | project_one | True |

  3. there is a router for tenant 'project_one' named 'router_proj_one': root@controller:~# quantum router-show ccf5f323-2a41-41d1-8bb6-b772a8ae17fc +-----------------------+--------------------------------------------------------+ | Field | Value | +-----------------------+--------------------------------------------------------+ | admin_state_up | True | | external_gateway_info | {"network_id": "d087a79f-eb79-45a1-851b-e79b0188b052"} | | id | ccf5f323-2a41-41d1-8bb6-b772a8ae17fc | | name | router_proj_one | | status | ACTIVE | | tenant_id | 678d0215c86a40f595f53b06beeec590 | +-----------------------+--------------------------------------------------------+

  4. there is a subnet for tenant 'demo': root@controller:~# quantum subnet-show 136d5eab-14f4-464d-97dd-4b76a409263d +------------------+--------------------------------------------+ | Field | Value | +------------------+--------------------------------------------+ | allocation_pools | {"start": "10.0.1.2", "end": "10.0.1.254"} | | cidr | 10.0.1.0/24 | | dns_nameservers | | | enable_dhcp | True | | gateway_ip | 10.0.1.1 | | host_routes | | | id | 136d5eab-14f4-464d-97dd-4b76a409263d | | ip_version | 4 | | name | | | network_id | 074f6c64-be43-4563-aa53-a7972f0299a8 | | tenant_id | 60e580365e804459a3e79a788ea36971 | +------------------+--------------------------------------------+

  5. tenant 'project_one' add subnet of tenant 'demo' to his router: root@controller:~# source /root/userrc root@controller:~# quantum router-interface-add router_proj_one 136d5eab-14f4-464d-97dd-4b76a409263d Added interface to router router_proj_one

success! It means that any one can add others' subnet to his router without others' permission! and I cannot find any verification with subnet I want to add in the function 'add_router_interface()'.

is it a bug?

edit retag flag offensive close merge delete

3 answers

Sort by ยป oldest newest most voted
0

answered 2013-01-08 01:00:04 -0500

kong gravatar image

hi yongsheng:

thanks for your reply.

I did make a mistake, the user "user_one" has an admin role.

edit flag offensive delete link more
0

answered 2013-01-08 01:00:20 -0500

kong gravatar image

Thanks yong sheng gong, that solved my question.

edit flag offensive delete link more
0

answered 2013-01-08 00:30:33 -0500

gongysh gravatar image

hi, has the user_one the admin role? def add_router_interface(self, context, router_id, interface_info): # make sure router exists router = self._get_router(context, router_id) ... elif 'subnet_id' in interface_info: subnet_id = interface_info['subnet_id'] subnet = self._get_subnet(context, subnet_id) ...

the self._get_subnet(...) will query the subnet under the tenant context if the context is not admin one.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2013-01-07 11:37:48 -0500

Seen: 18 times

Last updated: Jan 08 '13