** Information type changed from Private Security to Public
** Changed in: ossa
Status: Incomplete => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1301532
Title:
Quotas can be exceeded by making highly parallel requests
Status in OpenStack Compute (Nova):
New
Status in OpenStack Security Advisories:
Won't Fix
Bug description:
By making parallel API requests to create new keypairs I was able to
create 162 keypairs when my quota only allows for 100.
I suspect this is due to the code in Nova doing the check for how many
keypairs the user currently has at the beginning of the request cycle,
and if enough requests check in parallel they all return zero before
any are created, allowing far too many to sneak through.
I also suspect this behavior is true for any quota'd resource that
doesn't go through the scheduler.
This doesn't seem like a high-priority issue with the data currently
available, but it may be potentially exploitable, hence I'm setting
the security flag on the ticket just to be sure it gets triaged
appropriately before we allow any malicious user on the internet to
exceed their quotas.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1301532/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
