[Openstack-security] [Bug 1210869] Re: Ratelimiting not working
Jeremy Stanley
fungi at yuggoth.org
Tue Aug 20 17:46:37 UTC 2013
Yes, I agree in this case it doesn't sound like any actual security
vulnerability was being addressed by that module, so no OSSA warranted.
** Changed in: ossa
Status: Incomplete => Invalid
** Information type changed from Public Security to Public
** Tags added: security
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1210869
Title:
Ratelimiting not working
Status in OpenStack Compute (Nova):
In Progress
Status in OpenStack Security Advisories:
Invalid
Bug description:
Current master does not respect ratelimiting, since parsing of the api-paste.ini is faulty. api-paste.ini configues user limiting by
setting a line as follows (according to the code and unit test):
user:<user-id>:(GET, *, ".*", 4, minute)
This was passed to the Limiter as kwargs with "user" as a key.
Thus multiple user limiting is not possible as well as extracting
the id of the user was bound to fail, since we checked on the key
with startswith("user:")
An example config in the api-paste.ini has to look as follows:
limits = (POST, "*", .*, 10, MINUTE)
limits.<user-id1>:(GET, "*", .*, 4, minute)
limits.<user-id2>:(GET, "*", .*, 2, minute)
This can be then tested by maybe trying to run "cinder list" with a
configures user and see if the limit is respected.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1210869/+subscriptions
More information about the Openstack-security
mailing list