Re: [openstack-dev] Lack of quota - security bug or not?

2014-12-11 Thread Ihar Hrachyshka
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 10/12/14 22:12, Jeremy Stanley wrote: On 2014-12-10 16:07:35 -0500 (-0500), Jay Pipes wrote: On 12/10/2014 04:05 PM, Jeremy Stanley wrote: I think the bigger question is whether the lack of a quota implementation for everything a tenant

Re: [openstack-dev] Lack of quota - security bug or not?

2014-12-11 Thread George Shuklin
On 12/10/2014 10:34 PM, Jay Pipes wrote: On 12/10/2014 02:43 PM, George Shuklin wrote: I have some small discussion in launchpad: is lack of a quota for unprivileged user counted as security bug (or at least as a bug)? If user can create 100500 objects in database via normal API and ops have

Re: [openstack-dev] Lack of quota - security bug or not?

2014-12-11 Thread Thierry Carrez
George Shuklin wrote: On 12/10/2014 10:34 PM, Jay Pipes wrote: On 12/10/2014 02:43 PM, George Shuklin wrote: I have some small discussion in launchpad: is lack of a quota for unprivileged user counted as security bug (or at least as a bug)? If user can create 100500 objects in database

Re: [openstack-dev] Lack of quota - security bug or not?

2014-12-11 Thread Clark, Robert Graham
On 11/12/2014 13:16, Thierry Carrez thie...@openstack.org wrote: George Shuklin wrote: On 12/10/2014 10:34 PM, Jay Pipes wrote: On 12/10/2014 02:43 PM, George Shuklin wrote: I have some small discussion in launchpad: is lack of a quota for unprivileged user counted as security bug (or at

[openstack-dev] Lack of quota - security bug or not?

2014-12-10 Thread George Shuklin
I have some small discussion in launchpad: is lack of a quota for unprivileged user counted as security bug (or at least as a bug)? If user can create 100500 objects in database via normal API and ops have no way to restrict this, is it OK for Openstack or not?

Re: [openstack-dev] Lack of quota - security bug or not?

2014-12-10 Thread Jay Pipes
On 12/10/2014 02:43 PM, George Shuklin wrote: I have some small discussion in launchpad: is lack of a quota for unprivileged user counted as security bug (or at least as a bug)? If user can create 100500 objects in database via normal API and ops have no way to restrict this, is it OK for

Re: [openstack-dev] Lack of quota - security bug or not?

2014-12-10 Thread Jeremy Stanley
On 2014-12-10 15:34:57 -0500 (-0500), Jay Pipes wrote: On 12/10/2014 02:43 PM, George Shuklin wrote: I have some small discussion in launchpad: is lack of a quota for unprivileged user counted as security bug (or at least as a bug)? If user can create 100500 objects in database via

Re: [openstack-dev] Lack of quota - security bug or not?

2014-12-10 Thread Jay Pipes
On 12/10/2014 04:05 PM, Jeremy Stanley wrote: On 2014-12-10 15:34:57 -0500 (-0500), Jay Pipes wrote: On 12/10/2014 02:43 PM, George Shuklin wrote: I have some small discussion in launchpad: is lack of a quota for unprivileged user counted as security bug (or at least as a bug)? If user can

Re: [openstack-dev] Lack of quota - security bug or not?

2014-12-10 Thread Jeremy Stanley
On 2014-12-10 16:07:35 -0500 (-0500), Jay Pipes wrote: On 12/10/2014 04:05 PM, Jeremy Stanley wrote: I think the bigger question is whether the lack of a quota implementation for everything a tenant could ever possibly create is something we should have reported in secret, worked under