[openstack-dev] Lack of quota - security bug or not?

Jay Pipes jaypipes at gmail.com
Wed Dec 10 21:07:35 UTC 2014


On 12/10/2014 04:05 PM, Jeremy Stanley wrote:
> On 2014-12-10 15:34:57 -0500 (-0500), Jay Pipes wrote:
>> On 12/10/2014 02:43 PM, George Shuklin wrote:
>>> I have some small discussion in launchpad: is lack of a quota
>>> for unprivileged user counted as security bug (or at least as a
>>> bug)?
>>>
>>> If user can create 100500 objects in database via normal API and
>>> ops have no way to restrict this, is it OK for Openstack or not?
>>
>> That would be a major security bug. Please do file one and we'll
>> get on it immediately.
>
> I think the bigger question is whether the lack of a quota
> implementation for everything a tenant could ever possibly create is
> something we should have reported in secret, worked under embargo,
> backported to supported stable branches, and announced via
> high-profile security advisories once fixed.

Sure, fine.

-jay



More information about the OpenStack-dev mailing list