Reviewed: https://review.openstack.org/233855 Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=24b482ac15b5fa99edd2c3438318a41f9af06bcf Submitter: Jenkins Branch: master
commit 24b482ac15b5fa99edd2c3438318a41f9af06bcf Author: Salvatore Orlando <[email protected]> Date: Mon Oct 12 15:47:03 2015 -0700 Scope get_tenant_quotas by tenant_id Using model_query in the operation for retrieving tenant limits will spare the need for explicit authorization check in the quota controller. This is particularly relevant for the pecan framework where every Neutron API call undergoes authZ checks in the same pecan hook. This patch will automatically adapt by eventuals changes introducing "un-scoped" contexts. Closes-bug: #1505406 Change-Id: I6952f5c85cd7fb0263789f768d23de3fe80b8183 ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1505406 Title: Queries for fetching quotas are not scoped Status in neutron: Fix Released Bug description: get_tenant_quotas retrieves quotas for a tenant without scoping the query with the tenant_id issuing the request [1]; even if the API extension has an explicit authorisation check (...) [2], it is advisable to scope the query so that this problem is avoided. This is particularly relevant as with the pecan framework quota management APIs are not anymore "special" from an authZ perspective, but use the same authorization hook as any other API. [1] http://git.openstack.org/cgit/openstack/neutron/tree/neutron/db/quota/driver.py#n50 [2] http://git.openstack.org/cgit/openstack/neutron/tree/neutron/extensions/quotasv2.py#n87 To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1505406/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
