This repository has been archived by the owner on Mar 31, 2023. It is now read-only.
[Enhancement] Need to verify project id in DB query #395
Assignees
Labels
Comments
|
This issue has fixed in RBAC PR. Are there some problems with the current test? |
|
@Gzure The Rbac PR did resolve part of the problem, where the project id is "translated" from the security token. The remaining problem here is that when we call an internal service (like VPC mgr) and pass a random project id on the URL, all VPCs show up... Repro steps: {
"vpcs": [
{
"default": true,
"id": "9192a4d4-ffff-4ece-b3f0-8d36e3d88039",
"project_id": "3dda2801-d675-4688-a63f-dcda8d327f51",
"tenant_id": "3dda2801-d675-4688-a63f-dcda8d327f51",
"name": "sample_vpc",
"description": "vpc",
"cidr": "10.0.0.0/16",
"routes": [
{
"destination": "10.0.0.0/16",
"target": "Local",
"priority": 0,
"associatedType": "VPC",
"associatedTableId": "4c2d0eae-3864-4e05-a3e5-3e95a30d72df",
"id": "e8127b0f-1e16-46f6-b3c2-34e355d242ac",
"project_id": "3dda2801-d675-4688-a63f-dcda8d327f51",
"tenant_id": "3dda2801-d675-4688-a63f-dcda8d327f51",
"name": "default_route_rule",
"description": ""
}
],
"router": {},
"admin_state_up": true,
"dns_domain": "domain",
"mtu": 1400,
"port_security_enabled": true,
"provider:network_type": "vxlan",
"provider:physical_network": "",
"provider:segmentation_id": 13709312,
"router:external": false,
"segments": [],
"shared": false,
"vlan_transparent": false,
"is_default": true,
"availability_zone_hints": [],
"availability_zones": [
"Nova"
],
"qos_policy_id": [],
"revision_number": 1,
"status": "ACTIVE",
"tags": [],
"created_at": "2020-10-16 14:10:12",
"updated_at": "2020-10-16 14:10:12",
"ipv4_address_scope": "",
"ipv6_address_scope": "",
"l2_adjacency": "",
"subnets": []
},
{
"default": true,
"id": "9192a4d4-ffff-4ece-b3f0-8d36e3d88038",
"project_id": "3dda2801-d675-4688-a63f-dcda8d327f50",
"tenant_id": "3dda2801-d675-4688-a63f-dcda8d327f50",
"name": "sample_vpc",
"description": "vpc",
"cidr": "10.0.0.0/16",
"routes": [
{
"destination": "10.0.0.0/16",
"target": "Local",
"priority": 0,
"associatedType": "VPC",
"associatedTableId": "5099a13f-59f4-41e9-b293-85b2a5ea7999",
"id": "a6663f45-c1dd-4eec-9067-647bac9d0efd",
"project_id": "3dda2801-d675-4688-a63f-dcda8d327f50",
"tenant_id": "3dda2801-d675-4688-a63f-dcda8d327f50",
"name": "default_route_rule",
"description": ""
}
],
"router": {},
"admin_state_up": true,
"dns_domain": "domain",
"mtu": 1400,
"port_security_enabled": true,
"provider:network_type": "vxlan",
"provider:physical_network": "",
"provider:segmentation_id": 12161024,
"router:external": false,
"segments": [],
"shared": false,
"vlan_transparent": false,
"is_default": true,
"availability_zone_hints": [],
"availability_zones": [
"Nova"
],
"qos_policy_id": [],
"revision_number": 1,
"status": "ACTIVE",
"tags": [],
"created_at": "2020-10-15 21:28:52",
"updated_at": "2020-10-15 21:28:52",
"ipv4_address_scope": "",
"ipv6_address_scope": "",
"l2_adjacency": "",
"subnets": [
"9192a4d4-ffff-4ece-b3f0-8d36e3d88000"
]
}
]
} |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Bug Description
Currently when query resource by project id, VPC/Subnet/Route mgr don't check project id which may cause exposing resources of other projects.
Proposed change
This issue should be handled in Alcor common library to offer a generic solution to upstream microservices.
The text was updated successfully, but these errors were encountered: