[Openstack-security] [Bug 1210869] Re: Ratelimiting not working

OpenStack Infra 1210869 at bugs.launchpad.net
Mon Aug 26 06:02:55 UTC 2013 

Reviewed:  https://review.openstack.org/41267
Committed: http://github.com/openstack/nova/commit/5b8ee43b8603999f2ee15ef40f22d04c2800009c
Submitter: Jenkins
Branch:    master

commit 5b8ee43b8603999f2ee15ef40f22d04c2800009c
Author: Seif Lotfy <s.lotfy at telekom.de>
Date:   Sat Aug 10 21:04:31 2013 +0000

    Fix ratelimiting
    
    Current master does not respect ratelimiting, since parsing of the
    api-paste.ini is faulty. api-paste.ini limited user limiting by
    setting a line as follows:
    user:<user-id>:(GET, *, ".*", 4, minute)
    
    This was passed to the Limiter as kwargs with "user" as a key.
    Thus multiple user limiting is not possible as well as extracting
    the id of the user was bound to fail, since we checked on the key
    with startswith("user:")
    
    An example config in the api-paste.ini has to look as follows:
    limits = (POST, "*", .*, 10, MINUTE)
    limits.<user-id1>:(GET, "*", .*, 4, minute)
    limits.<user-id2>:(GET, "*", .*, 2, minute)
    
    The code has been modified to be able to handle such configs
    
    Fixes bug: 1210869
    
    Change-Id: Iaec669b282a567d42fbe21a6f64e7bc99161053b


** Changed in: nova
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1210869

Title:
  Ratelimiting not working

Status in OpenStack Compute (Nova):
  Fix Committed
Status in OpenStack Security Advisories:
  Invalid

Bug description:
  Current master does not respect ratelimiting, since parsing of the  api-paste.ini is faulty. api-paste.ini configues user limiting by
  setting a line as follows (according to the code and unit test):
      
  user:<user-id>:(GET, *, ".*", 4, minute)
      
  This was passed to the Limiter as kwargs with "user" as a key.
  Thus multiple user limiting is not possible as well as extracting
  the id of the user was bound to fail, since we checked on the key
  with startswith("user:")
     
  An example config in the api-paste.ini has to look as follows:
  limits = (POST, "*", .*, 10, MINUTE)
  limits.<user-id1>:(GET, "*", .*, 4, minute)
  limits.<user-id2>:(GET, "*", .*, 2, minute)

  This can  be then tested by maybe trying to run "cinder list" with a
  configures user and see if the limit is respected.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1210869/+subscriptions

More information about the Openstack-security mailing list