OpenStack Networking (Neutron)
Go to file
Aaron Rosen 1faec8354a Prevent cross plugging router ports from other tenants
Previously, a tenant could plug an interface into another tenant's
router if he knew their router_id by creating a port with the correct
device_id and device_owner. This patch prevents this from occuring
by preventing non-admin users from creating ports with device_owner
network:router_interface with a device_id that matches another tenants router.
In addition, it prevents one from updating a ports device_owner and device_id
so that the device_id won't match another tenants router with device_owner
being network:router_interface.

NOTE: with this change it does open up the possiblity for a tenant to discover
router_id's of another tenant's by guessing them and updating a port till
a conflict occurs. That said, randomly guessing the router id would be hard
and in theory should not matter if exposed. We also need to allow a tenant
to update the device_id on network:router_interface ports as this would be
used for by anyone using a vm as a service router. This issue will be fixed in
another patch upstream as a db migration is required but since this needs
to be backported to all stable branches this is not possible.

NOTE: The only plugins affect by this are the ones that use the l3-agent.

NOTE: **One should perform and audit of the ports that are already
        attached to routers after applying this patch and remove ports
        that a tenant may have cross plugged.**

Closes-bug: #1243327

Conflicts:
    neutron/common/exceptions.py
    neutron/db/db_base_plugin_v2.py

Change-Id: I8bc6241f537d937e5729072dcc76871bf407cdb3
2014-03-27 14:32:55 +00:00
bin Use built-in print() instead of print statement 2013-09-21 07:30:33 -07:00
contrib Update tox.ini to support RHEL 6.x. 2013-03-08 08:52:25 -05:00
doc Update references with new Mailing List location 2013-07-28 11:35:32 -07:00
etc Update help message of flag 'enable_isolated_metadata' 2014-03-03 13:54:31 +01:00
neutron Prevent cross plugging router ports from other tenants 2014-03-27 14:32:55 +00:00
quantum Re-assign quantum.api module as last operation 2013-07-15 22:51:28 +02:00
tools Use built-in print() instead of print statement 2013-09-21 07:30:33 -07:00
.coveragerc fix some missing change from quantum to neutron 2013-07-08 12:11:04 +08:00
.gitignore Ignore pbr*.egg directory 2013-08-09 06:06:07 +08:00
.gitreview Open stable/havana 2013-10-17 17:31:36 +02:00
.mailmap fix conversion type missing 2013-09-06 02:16:13 +08:00
.pylintrc Rename Quantum to Neutron 2013-07-06 15:02:43 -04:00
.testr.conf Add support for managing async processes 2014-01-09 15:35:21 -06:00
HACKING.rst Fix wrong example in HACKING.rst 2013-08-18 14:26:36 +08:00
LICENSE Adding Apache Version 2.0 license file. This is the official license agreement under which Quantum code is available to 2011-08-08 12:31:04 -07:00
MANIFEST.in Rename Quantum to Neutron 2013-07-06 15:02:43 -04:00
README.rst Rename Quantum to Neutron 2013-07-06 15:02:43 -04:00
TESTING Add support for managing async processes 2014-01-09 15:35:21 -06:00
babel.cfg Use babel to generate translation file 2013-01-24 00:20:32 +08:00
openstack-common.conf Remove openstack.common.exception usage 2013-08-06 10:42:02 +02:00
requirements.txt Updated neutronclient dependency 2014-03-21 19:06:46 +01:00
run_tests.sh Don't need to init testr in run_tests.sh 2013-09-12 01:04:09 +08:00
setup.cfg Bump stable/havana next version to 2013.2.3 2014-02-13 21:48:40 +01:00
setup.py Updated from global requirements 2013-10-01 16:13:29 +00:00
test-requirements.txt Updated from global requirements 2013-12-11 18:50:27 +00:00
tox.ini Have tox install via setup.py develop 2014-02-11 10:44:18 +01:00

README.rst

# -- Welcome!

You have come across a cloud computing network fabric controller. It has identified itself as "Neutron." It aims to tame your (cloud) networking!

# -- External Resources:

The homepage for Neutron is: http://launchpad.net/neutron . Use this site for asking for help, and filing bugs. Code is available on github at <http://github.com/openstack/neutron>.

The latest and most in-depth documentation on how to use Neutron is available at: <http://docs.openstack.org>. This includes:

Neutron Administrator Guide http://docs.openstack.org/trunk/openstack-network/admin/content/

Neutron API Reference: http://docs.openstack.org/api/openstack-network/2.0/content/

The start of some developer documentation is available at: http://wiki.openstack.org/NeutronDevelopment

For help using or hacking on Neutron, you can send mail to <mailto:openstack-dev@lists.openstack.org>.