*** This bug is a duplicate of bug 1284718 ***
https://bugs.launchpad.net/bugs/1284718
** Information type changed from Private Security to Public
** This bug has been marked a duplicate of bug 1284718
interface-attach to external network a) works and b) results in undeletable
instances
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1342690
Title:
nova allows to bypass neutron permission checking by allowing user to
plug instances to external neutron networking
Status in OpenStack Compute (Nova):
New
Status in OpenStack Security Advisories:
Incomplete
Bug description:
havana/ubuntu version of openstack (1:2013.2.3-0ubuntu1~cloud0)
If openstack is set up with nova and neutron, if user use nova to
create instance, nova allows to create ports in external networking,
bypassing neutron permissions for network access.
Steps to reproduce:
1. Create installation with nova/neutron
2. Create external neutron network (ExtNet-UUID)
3. Create unpriveleged (_member_) user, use it credentials.
4. boot instance: nova boot bad_instance --flavor m1.small --image any-image
--nic net-id:ExtNet-UUID
Expected results: nova reject request because 'external networks' is not
belong to tenant.
Actual results: nova allow to create port to external network and that port
is belong to user's tenant.
That port is not operational, so the scope of the described problem is
limited:
1. incorrect records in 'neutron port-list'
2. (more severe) depletion of external IP addresses over user quota for
floating IPs in neutron.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1342690/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
