<div dir="ltr"><div>I think it is better to block PUT for device_owner/device_id by regular users.</div><div>It can be controlled by policy.json.</div><div>If we do this change, we need to do it carefully because nova calls neutron port<br></div><div>operations with regular user privilege if port binding extension is not supported.</div><div><br></div><div>I agree that it is a good idea that API layer checks new values do not affected</div><div>to neutron control plane.</div><div><br></div><div>IMHO, blocking the change to device_owner/id is simpler.</div><div>Multiple security bugs due to handling of this attribute were reported</div><div>and blocking updating it makes things simpler.</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2015-07-16 18:26 GMT+09:00 Kevin Benton <span dir="ltr"><<a href="mailto:blak111@gmail.com" target="_blank">blak111@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">What do you think of just blocking all PUTs to that field? Is that a feasible change without inducing widespread riots about breaking changes?</div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jul 16, 2015 at 2:53 AM, Salvatore Orlando <span dir="ltr"><<a href="mailto:sorlando@nicira.com" target="_blank">sorlando@nicira.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">It is not possible to constrain this attribute to an enum, because there is no fixed list of device owners. Nevertheless it's good to document know device owners.<div><br></div><div>Likewise the API layer should have checks in place to ensure accidental updates to this attributes do not impact control plane functionality or at least do not leave the system in an inconsistent state.</div><span><font color="#888888"><div><br></div><div>Salvatore<br><div><br></div></div></font></span></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On 16 July 2015 at 07:51, Kevin Benton <span dir="ltr"><<a href="mailto:blak111@gmail.com" target="_blank">blak111@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I'm guessing Salvatore might just be suggesting that we restrict users from populating values that have special meaning (e.g. l3 agent router interface ports). I don't think at this point we could constrain the owner field to essentially an enum at this point.</div><div class="gmail_extra"><div><div><br><div class="gmail_quote">On Wed, Jul 15, 2015 at 10:22 PM, Mike Kolesnik <span dir="ltr"><<a href="mailto:mkolesni@redhat.com" target="_blank">mkolesni@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div style="font-family:times new roman,new york,times,serif;font-size:12pt;color:#000000"><div><br></div><hr><span><blockquote style="border-left:2px solid #1010ff;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt"><div dir="ltr">Yes please.<div><br></div><div>This would be a good starting point.</div><div>I also think that the ability of editing it, as well as the value it could be set to, should be constrained.</div></div></blockquote></span><div>FYI the oVirt project uses this field to identify ports it creates and manages.<br></div><div>So if you're going to constrain it to something, it should probably be configurable so that managers other than Nova can continue to use Neutron.<br></div><div><div><blockquote style="border-left:2px solid #1010ff;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt"><div dir="ltr"><div><br></div><div>As you have surely noticed, there are several code path which rely on an appropriate value being set in this attribute.</div><div>This means a user can potentially trigger malfunctioning by sending PUT requests to edit this attribute.</div><div><br></div><div>Summarizing, I think that document its usage is a good starting point, but I believe we should address the way this attribute is exposed at the API layer as well.</div><div><br></div><div>Salvatore</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 13 July 2015 at 11:52, Wang, Yalei <span dir="ltr"><<a href="mailto:yalei.wang@intel.com" target="_blank">yalei.wang@intel.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div style="text-align:justify" align="left">Hi all,</div><div style="text-align:justify" align="left">The device:owner the port is defined as a 255 byte string, and is widely used now, indicating the use of the port.</div><div style="text-align:justify" align="left">Seems we can fill it freely, and user also could update/set it from cmd line(port-update $PORT_ID --device_owner), and I don’t find the guideline for using.</div><div style="text-align:justify" align="left"><span style="font-family:Times New Roman" face="Times New Roman"> </span></div><div style="text-align:justify" align="left">What is its function? For indicating the using of the port, and seems horizon also use it to show the topology.</div><div style="text-align:justify" align="left">And nova really need it editable, should we at least document all of the possible values into some guide to make it clear? If yes, I can do it.</div><div style="text-align:justify" align="left"><span style="font-family:Times New Roman" face="Times New Roman"> </span></div><div style="text-align:justify" align="left">I got these using from the code(maybe not complete, pls point it out):</div><div style="text-align:justify" align="left"><span style="font-family:Times New Roman" face="Times New Roman"> </span></div><div style="text-align:justify" align="left">From constants.py,</div><div style="text-align:justify" align="left">DEVICE_OWNER_ROUTER_HA_INTF = "network:router_ha_interface"</div><div style="text-align:justify" align="left">DEVICE_OWNER_ROUTER_INTF = "network:router_interface"</div><div style="text-align:justify" align="left">DEVICE_OWNER_ROUTER_GW = "network:router_gateway"</div><div style="text-align:justify" align="left">DEVICE_OWNER_FLOATINGIP = "network:floatingip"</div><div style="text-align:justify" align="left">DEVICE_OWNER_DHCP = "network:dhcp"</div><div style="text-align:justify" align="left">DEVICE_OWNER_DVR_INTERFACE = "network:router_interface_distributed"</div><div style="text-align:justify" align="left">DEVICE_OWNER_AGENT_GW = "network:floatingip_agent_gateway"</div><div style="text-align:justify" align="left">DEVICE_OWNER_ROUTER_SNAT = "network:router_centralized_snat"</div><div style="text-align:justify" align="left">DEVICE_OWNER_LOADBALANCER = "neutron:LOADBALANCER"</div><div style="text-align:justify" align="left"><span style="font-family:Times New Roman" face="Times New Roman"> </span></div><div style="text-align:justify" align="left">And from debug_agent.py</div><div style="text-align:justify" align="left">DEVICE_OWNER_NETWORK_PROBE = 'network:probe'</div><div style="text-align:justify" align="left">DEVICE_OWNER_COMPUTE_PROBE = 'compute:probe'</div><div style="text-align:justify" align="left"><span style="font-family:Times New Roman" face="Times New Roman"> </span></div><div style="text-align:justify" align="left">And setting from nova/network/neutronv2/api.py,</div><div style="text-align:justify" align="left">'compute:%s' % instance.availability_zone</div><div style="text-align:justify" align="left"><span style="font-family:Times New Roman" face="Times New Roman"> </span></div><div style="text-align:justify" align="left"><span style="font-family:Times New Roman" face="Times New Roman"> </span></div><div style="text-align:justify" align="left">Thanks all!</div><div style="text-align:justify" align="left">/Yalei</div><div style="text-align:justify" align="left"><span style="font-family:Times New Roman" face="Times New Roman"> </span></div></div><br>__________________________________________________________________________<br> OpenStack Development Mailing List (not for usage questions)<br> Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br><br></blockquote></div><br></div><br>__________________________________________________________________________<br>OpenStack Development Mailing List (not for usage questions)<br>Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br></blockquote><div><br></div></div></div></div></div><br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div></div></div><span><font color="#888888">-- <br><div><div>Kevin Benton</div></div>
</font></span></div>
<br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div>
</div></div><br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div><div>Kevin Benton</div></div>
</div>
</div></div><br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div>