Block allowed address pairs on other tenants' net
Don't allow tenants to use the allowed address pairs extension when they are attaching a port to a network that does not belong to them. This is done because allowed address pairs can allow things like ARP spoofing and all tenants attached to a shared network might not implicitly trust each other. Change-Id: Ie6c3e8ad04103804e40f2b043202387385e62ca5 Closes-Bug: #1447242
This commit is contained in:
parent
76d873a452
commit
927399c011
@ -53,6 +53,7 @@
|
|||||||
"create_port:binding:host_id": "rule:admin_only",
|
"create_port:binding:host_id": "rule:admin_only",
|
||||||
"create_port:binding:profile": "rule:admin_only",
|
"create_port:binding:profile": "rule:admin_only",
|
||||||
"create_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
"create_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
||||||
|
"create_port:allowed_address_pairs": "rule:admin_or_network_owner",
|
||||||
"get_port": "rule:admin_or_owner or rule:context_is_advsvc",
|
"get_port": "rule:admin_or_owner or rule:context_is_advsvc",
|
||||||
"get_port:queue_id": "rule:admin_only",
|
"get_port:queue_id": "rule:admin_only",
|
||||||
"get_port:binding:vif_type": "rule:admin_only",
|
"get_port:binding:vif_type": "rule:admin_only",
|
||||||
@ -66,6 +67,7 @@
|
|||||||
"update_port:binding:host_id": "rule:admin_only",
|
"update_port:binding:host_id": "rule:admin_only",
|
||||||
"update_port:binding:profile": "rule:admin_only",
|
"update_port:binding:profile": "rule:admin_only",
|
||||||
"update_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
"update_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
||||||
|
"update_port:allowed_address_pairs": "rule:admin_or_network_owner",
|
||||||
"delete_port": "rule:admin_or_owner or rule:context_is_advsvc",
|
"delete_port": "rule:admin_or_owner or rule:context_is_advsvc",
|
||||||
|
|
||||||
"get_router:ha": "rule:admin_only",
|
"get_router:ha": "rule:admin_only",
|
||||||
|
@ -14,6 +14,9 @@
|
|||||||
# License for the specific language governing permissions and limitations
|
# License for the specific language governing permissions and limitations
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
|
from tempest_lib import exceptions as lib_exc
|
||||||
|
import testtools
|
||||||
|
|
||||||
from neutron.tests.api import base
|
from neutron.tests.api import base
|
||||||
from neutron.tests.tempest import config
|
from neutron.tests.tempest import config
|
||||||
from neutron.tests.tempest import test
|
from neutron.tests.tempest import test
|
||||||
@ -94,3 +97,35 @@ class SharedNetworksTest(base.BaseAdminNetworkTest):
|
|||||||
# shared network extension attribute is returned.
|
# shared network extension attribute is returned.
|
||||||
self._show_shared_network(self.admin_client)
|
self._show_shared_network(self.admin_client)
|
||||||
self._show_shared_network(self.client)
|
self._show_shared_network(self.client)
|
||||||
|
|
||||||
|
|
||||||
|
class AllowedAddressPairSharedNetworkTest(base.BaseAdminNetworkTest):
|
||||||
|
allowed_address_pairs = [{'ip_address': '1.1.1.1'}]
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
def skip_checks(cls):
|
||||||
|
super(AllowedAddressPairSharedNetworkTest, cls).skip_checks()
|
||||||
|
if not test.is_extension_enabled('allowed-address-pairs', 'network'):
|
||||||
|
msg = "Allowed Address Pairs extension not enabled."
|
||||||
|
raise cls.skipException(msg)
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
def resource_setup(cls):
|
||||||
|
super(AllowedAddressPairSharedNetworkTest, cls).resource_setup()
|
||||||
|
cls.network = cls.create_shared_network()
|
||||||
|
cls.create_subnet(cls.network, client=cls.admin_client)
|
||||||
|
|
||||||
|
@test.attr(type='smoke')
|
||||||
|
@test.idempotent_id('86c3529b-1231-40de-803c-ffffffff1fff')
|
||||||
|
def test_create_with_address_pair_blocked_on_other_network(self):
|
||||||
|
with testtools.ExpectedException(lib_exc.Forbidden):
|
||||||
|
self.create_port(self.network,
|
||||||
|
allowed_address_pairs=self.allowed_address_pairs)
|
||||||
|
|
||||||
|
@test.attr(type='smoke')
|
||||||
|
@test.idempotent_id('86c3529b-1231-40de-803c-ffffffff2fff')
|
||||||
|
def test_update_with_address_pair_blocked_on_other_network(self):
|
||||||
|
port = self.create_port(self.network)
|
||||||
|
with testtools.ExpectedException(lib_exc.Forbidden):
|
||||||
|
self.update_port(
|
||||||
|
port, allowed_address_pairs=self.allowed_address_pairs)
|
||||||
|
@ -53,6 +53,7 @@
|
|||||||
"create_port:binding:host_id": "rule:admin_only",
|
"create_port:binding:host_id": "rule:admin_only",
|
||||||
"create_port:binding:profile": "rule:admin_only",
|
"create_port:binding:profile": "rule:admin_only",
|
||||||
"create_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
"create_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
||||||
|
"create_port:allowed_address_pairs": "rule:admin_or_network_owner",
|
||||||
"get_port": "rule:admin_or_owner or rule:context_is_advsvc",
|
"get_port": "rule:admin_or_owner or rule:context_is_advsvc",
|
||||||
"get_port:queue_id": "rule:admin_only",
|
"get_port:queue_id": "rule:admin_only",
|
||||||
"get_port:binding:vif_type": "rule:admin_only",
|
"get_port:binding:vif_type": "rule:admin_only",
|
||||||
@ -66,6 +67,7 @@
|
|||||||
"update_port:binding:host_id": "rule:admin_only",
|
"update_port:binding:host_id": "rule:admin_only",
|
||||||
"update_port:binding:profile": "rule:admin_only",
|
"update_port:binding:profile": "rule:admin_only",
|
||||||
"update_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
"update_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
||||||
|
"update_port:allowed_address_pairs": "rule:admin_or_network_owner",
|
||||||
"delete_port": "rule:admin_or_owner or rule:context_is_advsvc",
|
"delete_port": "rule:admin_or_owner or rule:context_is_advsvc",
|
||||||
|
|
||||||
"get_router:ha": "rule:admin_only",
|
"get_router:ha": "rule:admin_only",
|
||||||
|
Loading…
Reference in New Issue
Block a user