neutron

tenantA can add other tenants' subnets to his router

Asked by Lingxian Kong

I made a experiment on my machine, ant the result is amazing.

1. I have a userrc file with contents below:
root@controller:~# vi /root/userrc
export OS_TENANT_NAME=project_one
export OS_USERNAME=user_one
export OS_PASSWORD=user_one
export OS_AUTH_URL="http://localhost:5000/v2.0/"
export SERVICE_ENDPOINT="http://localhost:35357/v2.0"

2. there are two tenants:
root@controller:~# keystone tenant-list
+----------------------------------+--------------------+---------+
| id | name | enabled |
+----------------------------------+--------------------+---------+
| 60e580365e804459a3e79a788ea36971 | demo | True |
| 678d0215c86a40f595f53b06beeec590 | project_one | True |

3. there is a router for tenant 'project_one' named 'router_proj_one':
root@controller:~# quantum router-show ccf5f323-2a41-41d1-8bb6-b772a8ae17fc
+-----------------------+--------------------------------------------------------+
| Field | Value |
+-----------------------+--------------------------------------------------------+
| admin_state_up | True |
| external_gateway_info | {"network_id": "d087a79f-eb79-45a1-851b-e79b0188b052"} |
| id | ccf5f323-2a41-41d1-8bb6-b772a8ae17fc |
| name | router_proj_one |
| status | ACTIVE |
| tenant_id | 678d0215c86a40f595f53b06beeec590 |
+-----------------------+--------------------------------------------------------+

4. there is a subnet for tenant 'demo':
root@controller:~# quantum subnet-show 136d5eab-14f4-464d-97dd-4b76a409263d
+------------------+--------------------------------------------+
| Field | Value |
+------------------+--------------------------------------------+
| allocation_pools | {"start": "10.0.1.2", "end": "10.0.1.254"} |
| cidr | 10.0.1.0/24 |
| dns_nameservers | |
| enable_dhcp | True |
| gateway_ip | 10.0.1.1 |
| host_routes | |
| id | 136d5eab-14f4-464d-97dd-4b76a409263d |
| ip_version | 4 |
| name | |
| network_id | 074f6c64-be43-4563-aa53-a7972f0299a8 |
| tenant_id | 60e580365e804459a3e79a788ea36971 |
+------------------+--------------------------------------------+

5. tenant 'project_one' add subnet of tenant 'demo' to his router:
root@controller:~# source /root/userrc
root@controller:~# quantum router-interface-add router_proj_one 136d5eab-14f4-464d-97dd-4b76a409263d
Added interface to router router_proj_one

success! It means that any one can add others' subnet to his router without others' permission!
and I cannot find any verification with subnet I want to add in the function 'add_router_interface()'.

is it a bug?

Question information

Language:
English Edit question
Status:
Solved
For:
neutron Edit question
Assignee:
No assignee Edit question
Solved by:
yong sheng gong
Solved:
Last query:
Last reply:
Revision history for this message
Best yong sheng gong (gongysh) said : 		#1

hi,
has the user_one the admin role?
    def add_router_interface(self, context, router_id, interface_info):
        # make sure router exists
        router = self._get_router(context, router_id)
  ...
        elif 'subnet_id' in interface_info:
            subnet_id = interface_info['subnet_id']
            subnet = self._get_subnet(context, subnet_id)
...

the self._get_subnet(...) will query the subnet under the tenant context if the context is not admin one.

Revision history for this message
Lingxian Kong (kong) said : 		#2

hi yongsheng:

thanks for your reply.

I did make a mistake, the user "user_one" has an admin role.

Revision history for this message
Lingxian Kong (kong) said : 		#3

Thanks yong sheng gong, that solved my question.