Yes, I agree in this case it doesn't sound like any actual security vulnerability was being addressed by that module, so no OSSA warranted.
** Changed in: ossa Status: Incomplete => Invalid ** Information type changed from Public Security to Public ** Tags added: security -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1210869 Title: Ratelimiting not working Status in OpenStack Compute (Nova): In Progress Status in OpenStack Security Advisories: Invalid Bug description: Current master does not respect ratelimiting, since parsing of the api-paste.ini is faulty. api-paste.ini configues user limiting by setting a line as follows (according to the code and unit test): user:<user-id>:(GET, *, ".*", 4, minute) This was passed to the Limiter as kwargs with "user" as a key. Thus multiple user limiting is not possible as well as extracting the id of the user was bound to fail, since we checked on the key with startswith("user:") An example config in the api-paste.ini has to look as follows: limits = (POST, "*", .*, 10, MINUTE) limits.<user-id1>:(GET, "*", .*, 4, minute) limits.<user-id2>:(GET, "*", .*, 2, minute) This can be then tested by maybe trying to run "cinder list" with a configures user and see if the limit is respected. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1210869/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp