[Openstack-security] [openstack/barbican-specs] SecurityImpact review request change Ic5db6ed73310b951d73e7f2fe0cbc17711966038
gerrit2 at review.openstack.org
gerrit2 at review.openstack.org
Tue Jan 20 15:39:32 UTC 2015
Hi, I'd like you to take a look at this patch for potential
SecurityImpact.
https://review.openstack.org/148587
Log:
commit 9b0f3cd25c1b9fc9a71b4bccf14b21d9d894be23
Author: jfwood <john.wood at rackspace.com>
Date: Tue Jan 20 08:52:17 2015 -0600
Support concurrent updates on the orders API resource
Currently if a PUT request is made to an existing orders resource, the
updated order metadata is sent as an argument to an enqueued RPC task
to worker nodes. If subsequent PUT requests are made to the same order,
multiple RPC tasks will be enqueued and potentially processed by
multiple worker nodes. Hence the sequence of processing these RPC tasks
is not guaranteed to be the same as the PUT requests were received.
This blueprint seeks to avoid this race condition. A motivation for
this feature is to support reliably updating SSL certificate orders 'in
flight', say to correct a contact email address. Another benefit is
limiting the amount of updates that can be made to a given order,
reducing the possibility of a denial of service attack via the orders
resource.
Change-Id: Ic5db6ed73310b951d73e7f2fe0cbc17711966038
Implements: blueprint api-orders-support-concurrent-updates
APIImpact: Adds 400 response if too many PUT requests to same order
SecurityImpact: Should help mitigate DoS attack on order via PUTs
DocImpact: Update orders resource doc to mention 400 response
More information about the Openstack-security
mailing list