On 2014-12-10 15:34:57 -0500 (-0500), Jay Pipes wrote:
> On 12/10/2014 02:43 PM, George Shuklin wrote:
> > I have some small discussion in launchpad: is lack of a quota
> > for unprivileged user counted as security bug (or at least as a
> > bug)?
> > 
> > If user can create 100500 objects in database via normal API and
> > ops have no way to restrict this, is it OK for Openstack or not?
> 
> That would be a major security bug. Please do file one and we'll
> get on it immediately.

I think the bigger question is whether the lack of a quota
implementation for everything a tenant could ever possibly create is
something we should have reported in secret, worked under embargo,
backported to supported stable branches, and announced via
high-profile security advisories once fixed.
-- 
Jeremy Stanley

_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to