Validate user access to vip_subnet_id when creating a LB

A user was able to create a LB using a vip_subnet_id from another user (by passing the UUID). Now, the vip_subnet_id parameter is validated using the user context, so an error is returned if the subnet doesn't belong to the user. I479019a911b5a1acfc1951d1cbbc2a351089cb4d was a previous attempt to fix that bug but vip_subnet_id check was missing. Story: 2008586 Task: 41741 Depends-On: https://review.opendev.org/774157 Change-Id: I602418264e171a2b1a926eff0b1f9e6dc186295a (cherry picked from commit 8d86187c0a) (cherry picked from commit 7d1b81d78f)
2021-02-02 19:58:14 +01:00 · 2021-02-02 19:58:14 +01:00 · 73db7b0762
parent 46b9ce7cde
commit 73db7b0762
2 changed files with 6 additions and 1 deletions
--- a/octavia/api/v2/controllers/load_balancer.py
+++ b/octavia/api/v2/controllers/load_balancer.py
@ -264,7 +264,7 @@ class LoadBalancersController(base.BaseController):
        # Validate just the subnet id
        elif load_balancer.vip_subnet_id:
            subnet = validate.subnet_exists(
-                subnet_id=load_balancer.vip_subnet_id)
+                subnet_id=load_balancer.vip_subnet_id, context=context)
            load_balancer.vip_network_id = subnet.network_id
        if load_balancer.vip_qos_policy_id:
            validate.qos_policy_exists(
--- a/releasenotes/notes/validate-access-to-vip_subnet_id-48fc92b45529cafd.yaml
+++ b/releasenotes/notes/validate-access-to-vip_subnet_id-48fc92b45529cafd.yaml
@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Fix a bug that allowed a user to create a load balancer on a
+    ``vip_subnet_id`` that belongs to another user using the subnet UUID.