Don't allow tenants to use the allowed address pairs extension
when they are attaching a port to a network that does not belong
to them.
This is done because allowed address pairs can allow things like
ARP spoofing and all tenants attached to a shared network might not
implicitly trust each other.
Change-Id: Ie6c3e8ad04103804e40f2b043202387385e62ca5
Closes-Bug: #
1447242
(cherry picked from commit
927399c011409b7d152b7670b896f15eee7d0db3)
"create_port:binding:host_id": "rule:admin_only",
"create_port:binding:profile": "rule:admin_only",
"create_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
+ "create_port:allowed_address_pairs": "rule:admin_or_network_owner",
"get_port": "rule:admin_or_owner or rule:context_is_advsvc",
"get_port:queue_id": "rule:admin_only",
"get_port:binding:vif_type": "rule:admin_only",
"update_port:binding:host_id": "rule:admin_only",
"update_port:binding:profile": "rule:admin_only",
"update_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
+ "update_port:allowed_address_pairs": "rule:admin_or_network_owner",
"delete_port": "rule:admin_or_owner or rule:context_is_advsvc",
"get_router:ha": "rule:admin_only",
# License for the specific language governing permissions and limitations
# under the License.
+from tempest_lib import exceptions as lib_exc
+import testtools
+
from neutron.tests.api import base
from neutron.tests.tempest import config
from neutron.tests.tempest import test
# shared network extension attribute is returned.
self._show_shared_network(self.admin_client)
self._show_shared_network(self.client)
+
+
+class AllowedAddressPairSharedNetworkTest(base.BaseAdminNetworkTest):
+ allowed_address_pairs = [{'ip_address': '1.1.1.1'}]
+
+ @classmethod
+ def skip_checks(cls):
+ super(AllowedAddressPairSharedNetworkTest, cls).skip_checks()
+ if not test.is_extension_enabled('allowed-address-pairs', 'network'):
+ msg = "Allowed Address Pairs extension not enabled."
+ raise cls.skipException(msg)
+
+ @classmethod
+ def resource_setup(cls):
+ super(AllowedAddressPairSharedNetworkTest, cls).resource_setup()
+ cls.network = cls.create_shared_network()
+ cls.create_subnet(cls.network, client=cls.admin_client)
+
+ @test.attr(type='smoke')
+ @test.idempotent_id('86c3529b-1231-40de-803c-ffffffff1fff')
+ def test_create_with_address_pair_blocked_on_other_network(self):
+ with testtools.ExpectedException(lib_exc.Forbidden):
+ self.create_port(self.network,
+ allowed_address_pairs=self.allowed_address_pairs)
+
+ @test.attr(type='smoke')
+ @test.idempotent_id('86c3529b-1231-40de-803c-ffffffff2fff')
+ def test_update_with_address_pair_blocked_on_other_network(self):
+ port = self.create_port(self.network)
+ with testtools.ExpectedException(lib_exc.Forbidden):
+ self.update_port(
+ port, allowed_address_pairs=self.allowed_address_pairs)
"create_port:binding:host_id": "rule:admin_only",
"create_port:binding:profile": "rule:admin_only",
"create_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
+ "create_port:allowed_address_pairs": "rule:admin_or_network_owner",
"get_port": "rule:admin_or_owner or rule:context_is_advsvc",
"get_port:queue_id": "rule:admin_only",
"get_port:binding:vif_type": "rule:admin_only",
"update_port:binding:host_id": "rule:admin_only",
"update_port:binding:profile": "rule:admin_only",
"update_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
+ "update_port:allowed_address_pairs": "rule:admin_or_network_owner",
"delete_port": "rule:admin_or_owner or rule:context_is_advsvc",
"get_router:ha": "rule:admin_only",
Code Review / openstack-build / neutron-build.git / commitdiff