[openstack-dev] [nova, cinder, neutron] quota-update tenant-name bug

Salvatore Orlando sorlando at nicira.com
Thu Jul 30 06:14:11 UTC 2015


To the best of my knowledge Neutron is unable to enforce tenant quotas
using the tenant name; this should be "undocumented".
What Kevin suggests also goes in this direction, even if we have to be
careful as we're making assumptions on how tenant ids are represented (if
the deployment is not using Keystone, for instance, they could be anything).

Quotas are enforce by checking the tenant_id for which a resource is being
created is not already using all its quota of this resource.
Neutron does not have any logic for resolving the tenant name into its
identifier in this process.

The validation of the tenant identifier is something that goes beyond quota
management. Users with admin credentials can create networks and other
resources for random tenants that do not exist. Validation of the tenant id
might make sense, but, as Kevin said, must be performed by Keystone.
Therefore in order to avoid an extra round trip I would personally try and
perform this task in the keystonemiddleware step (the one that does
authentication too).

Nevertheless there is a deferred nova spec [1] and patch [2] aiming at
performing exactly what's asked for here - validating the tenant id when
setting up quotas. I personally think we should seek a solution for
validating the tenant_id for every request (if the operator wishes to do
so).

Salvatore

[1]
http://specs.openstack.org/openstack/nova-specs/specs/kilo/approved/validate-tenant-user-with-keystone.html
[2] https://review.openstack.org/#/c/143934/



On 30 July 2015 at 07:44, Kevin Benton <blak111 at gmail.com> wrote:

> >Dev lessons learned: we need to validate better our inputs and refuse to
> update a tenant-id that does not exist.
>
> This is something that has come up in Neutron discussions before. There
> are two issues here:
> 1. Performance: it will require a round-trip to Keystone on every request.
> 2. If the Neutron keystone user in unprivileged and the request context is
> unprivileged, we might not actually be allowed to tell if the tenant exists.
>
> The first we can deal with, but the second is going to be an issue that we
> might not be able to get around.
>
> How about as a temporary solution, we just confirm that the input is a
> UUID so names don't get used?
>
> On Wed, Jul 29, 2015 at 10:19 PM, Bruno L <teolupus.ext at gmail.com> wrote:
>
>> This is probably affecting other people as well, so hopefully message
>> will avoid some headaches.
>>
>> [nova,cinder,neutron] will allow you to do a quota-update using the
>> tenant-name (instead of tenant-id). They will also allow you to do a
>> quota-show tenant-name and get the expected values back.
>>
>> Then you go to the tenant and end up surprised that the quotas have not
>> been applied and you can still do things you were not supposed to.
>>
>> It turns out that [nova,cinder,neutron] just created an entry on the
>> quota table, inserting the tenant-name on the tenant-id field.
>>
>> "Surprise, surprise!"
>>
>> Ops lessons learned: use the tenant-id!
>>
>> Dev lessons learned: we need to validate better our inputs and refuse to
>> update a tenant-id that does not exist.
>>
>> I have documented this behaviour on
>> https://bugs.launchpad.net/neutron/+bug/1399065 and
>> https://bugs.launchpad.net/neutron/+bug/1317515. I can reproduce it in
>> IceHouse.
>>
>> Could someone please confirm if this is still the case on master? If not,
>> which version of OpenStack addressed that?
>>
>> Thanks,
>> Bruno
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
>
> --
> Kevin Benton
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150730/ca95c039/attachment.html>


More information about the OpenStack-dev mailing list