From 19619ce88862b17c4fdbf81072fa77e5252e533e Mon Sep 17 00:00:00 2001 From: Gregory Thiemonge Date: Tue, 2 Feb 2021 19:58:14 +0100 Subject: [PATCH] Validate user access to vip_subnet_id when creating a LB A user was able to create a LB using a vip_subnet_id from another user (by passing the UUID). Now, the vip_subnet_id parameter is validated using the user context, so an error is returned if the subnet doesn't belong to the user. I479019a911b5a1acfc1951d1cbbc2a351089cb4d was a previous attempt to fix that bug but vip_subnet_id check was missing. Story: 2008586 Task: 41741 Depends-On: https://review.opendev.org/774157 Change-Id: I602418264e171a2b1a926eff0b1f9e6dc186295a (cherry picked from commit 8d86187c0abd282d10a9fbe294df68f9100ad4a0) (cherry picked from commit 7d1b81d78f4383af725e0f6557b6dfe37ec74799) --- octavia/api/v2/controllers/load_balancer.py | 2 +- .../validate-access-to-vip_subnet_id-48fc92b45529cafd.yaml | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/validate-access-to-vip_subnet_id-48fc92b45529cafd.yaml diff --git a/octavia/api/v2/controllers/load_balancer.py b/octavia/api/v2/controllers/load_balancer.py index fc2970da1f..4051483aee 100644 --- a/octavia/api/v2/controllers/load_balancer.py +++ b/octavia/api/v2/controllers/load_balancer.py @@ -264,7 +264,7 @@ class LoadBalancersController(base.BaseController): # Validate just the subnet id elif load_balancer.vip_subnet_id: subnet = validate.subnet_exists( - subnet_id=load_balancer.vip_subnet_id) + subnet_id=load_balancer.vip_subnet_id, context=context) load_balancer.vip_network_id = subnet.network_id if load_balancer.vip_qos_policy_id: validate.qos_policy_exists( diff --git a/releasenotes/notes/validate-access-to-vip_subnet_id-48fc92b45529cafd.yaml b/releasenotes/notes/validate-access-to-vip_subnet_id-48fc92b45529cafd.yaml new file mode 100644 index 0000000000..30637a3a45 --- /dev/null +++ b/releasenotes/notes/validate-access-to-vip_subnet_id-48fc92b45529cafd.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Fix a bug that allowed a user to create a load balancer on a + ``vip_subnet_id`` that belongs to another user using the subnet UUID.