Block allowed address pairs on other tenants' net
Don't allow tenants to use the allowed address pairs extension when they are attaching a port to a network that does not belong to them. This is done because allowed address pairs can allow things like ARP spoofing and all tenants attached to a shared network might not implicitly trust each other. Change-Id: Ie6c3e8ad04103804e40f2b043202387385e62ca5 Closes-Bug: #1447242
This commit is contained in:
parent
0511a6cc25
commit
55f6c8d036
|
@ -53,6 +53,7 @@
|
||||||
"create_port:binding:host_id": "rule:admin_only",
|
"create_port:binding:host_id": "rule:admin_only",
|
||||||
"create_port:binding:profile": "rule:admin_only",
|
"create_port:binding:profile": "rule:admin_only",
|
||||||
"create_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
"create_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
||||||
|
"create_port:allowed_address_pairs": "rule:admin_or_network_owner",
|
||||||
"get_port": "rule:admin_or_owner or rule:context_is_advsvc",
|
"get_port": "rule:admin_or_owner or rule:context_is_advsvc",
|
||||||
"get_port:queue_id": "rule:admin_only",
|
"get_port:queue_id": "rule:admin_only",
|
||||||
"get_port:binding:vif_type": "rule:admin_only",
|
"get_port:binding:vif_type": "rule:admin_only",
|
||||||
|
@ -66,6 +67,7 @@
|
||||||
"update_port:binding:host_id": "rule:admin_only",
|
"update_port:binding:host_id": "rule:admin_only",
|
||||||
"update_port:binding:profile": "rule:admin_only",
|
"update_port:binding:profile": "rule:admin_only",
|
||||||
"update_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
"update_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
||||||
|
"update_port:allowed_address_pairs": "rule:admin_or_network_owner",
|
||||||
"delete_port": "rule:admin_or_owner or rule:context_is_advsvc",
|
"delete_port": "rule:admin_or_owner or rule:context_is_advsvc",
|
||||||
|
|
||||||
"get_router:ha": "rule:admin_only",
|
"get_router:ha": "rule:admin_only",
|
||||||
|
|
|
@ -53,6 +53,7 @@
|
||||||
"create_port:binding:host_id": "rule:admin_only",
|
"create_port:binding:host_id": "rule:admin_only",
|
||||||
"create_port:binding:profile": "rule:admin_only",
|
"create_port:binding:profile": "rule:admin_only",
|
||||||
"create_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
"create_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
||||||
|
"create_port:allowed_address_pairs": "rule:admin_or_network_owner",
|
||||||
"get_port": "rule:admin_or_owner or rule:context_is_advsvc",
|
"get_port": "rule:admin_or_owner or rule:context_is_advsvc",
|
||||||
"get_port:queue_id": "rule:admin_only",
|
"get_port:queue_id": "rule:admin_only",
|
||||||
"get_port:binding:vif_type": "rule:admin_only",
|
"get_port:binding:vif_type": "rule:admin_only",
|
||||||
|
@ -66,6 +67,7 @@
|
||||||
"update_port:binding:host_id": "rule:admin_only",
|
"update_port:binding:host_id": "rule:admin_only",
|
||||||
"update_port:binding:profile": "rule:admin_only",
|
"update_port:binding:profile": "rule:admin_only",
|
||||||
"update_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
"update_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
||||||
|
"update_port:allowed_address_pairs": "rule:admin_or_network_owner",
|
||||||
"delete_port": "rule:admin_or_owner or rule:context_is_advsvc",
|
"delete_port": "rule:admin_or_owner or rule:context_is_advsvc",
|
||||||
|
|
||||||
"get_router:ha": "rule:admin_only",
|
"get_router:ha": "rule:admin_only",
|
||||||
|
|
Loading…
Reference in New Issue