On 2014-12-10 15:34:57 -0500 (-0500), Jay Pipes wrote: > On 12/10/2014 02:43 PM, George Shuklin wrote: > > I have some small discussion in launchpad: is lack of a quota > > for unprivileged user counted as security bug (or at least as a > > bug)? > > > > If user can create 100500 objects in database via normal API and > > ops have no way to restrict this, is it OK for Openstack or not? > > That would be a major security bug. Please do file one and we'll > get on it immediately.
I think the bigger question is whether the lack of a quota implementation for everything a tenant could ever possibly create is something we should have reported in secret, worked under embargo, backported to supported stable branches, and announced via high-profile security advisories once fixed. -- Jeremy Stanley _______________________________________________ OpenStack-dev mailing list OpenStackfirstname.lastname@example.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev