[Openstack-security] [Bug 1210869] Re: Ratelimiting not working
Robert Clark
1210869 at bugs.launchpad.net
Thu Aug 29 14:56:52 UTC 2013
There should probably be an OSSN highlighting that rate limiting exists
and pointing to the correct configurations. It can also mention that
there was a problem with some versions of the code, linking to this bug.
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1210869
Title:
Ratelimiting not working
Status in OpenStack Compute (Nova):
Fix Committed
Status in OpenStack Security Advisories:
Invalid
Bug description:
Current master does not respect ratelimiting, since parsing of the api-paste.ini is faulty. api-paste.ini configues user limiting by
setting a line as follows (according to the code and unit test):
user:<user-id>:(GET, *, ".*", 4, minute)
This was passed to the Limiter as kwargs with "user" as a key.
Thus multiple user limiting is not possible as well as extracting
the id of the user was bound to fail, since we checked on the key
with startswith("user:")
An example config in the api-paste.ini has to look as follows:
limits = (POST, "*", .*, 10, MINUTE)
limits.<user-id1>:(GET, "*", .*, 4, minute)
limits.<user-id2>:(GET, "*", .*, 2, minute)
This can be then tested by maybe trying to run "cinder list" with a
configures user and see if the limit is respected.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1210869/+subscriptions
More information about the Openstack-security
mailing list