Bug 1382010

Summary: Unable to create path based routes in different project
Product: OpenShift Container Platform Reporter: Jonas Nordell <jnordell>
Component: NetworkingAssignee: Ben Bennett <bbennett>
Networking sub component: router QA Contact: zhaozhanqi <zzhao>
Status: CLOSED NOTABUG Docs Contact:
Severity: medium    
Priority: medium CC: aos-bugs, pep
Version: 3.2.1   
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-07 14:07:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1267746    

Description Jonas Nordell 2016-10-05 13:58:01 UTC 
Description of problem:

Creating path based routes with the same hostname is allowed in the same project. So I can create two routes with the same hostname but with different paths pointing to different services.

But if I try to create a third route in a different project with the same hostname but a different path I will get a route with the HOST/PORT of the value HostAlreadyClaimed

It should not matter if I'm in the same project or different project? As long as the path is different?


Version-Release number of selected component (if applicable):
3.2.1

How reproducible:

Always 

Steps to Reproduce:

Create a route with hostname and one path in one project and then create a route in different project with the same hostname but with different path

Actual results:


Expected results:


Additional info:
Also tested on 3.3 with the same result
Comment 3 Ben Bennett 2016-10-07 14:07:13 UTC 
https://github.com/openshift/openshift-docs/pull/2886 is already in progress to address that.
 
We do not allow it because it's a security risk.  Let's say that namespace A defines:
  bankofamerica.com path / -> banking app

And the login url is:
  bankofamerica.com/login

That will route to the banking app because / matches everything under it.

Now let's say namespace B then defines:
  bankofamerica.com path /login -> hostile app

Then they can see all of the credentials that are attempted on bankofamerica.com.  While this is heavy-handed and will prevent all logins, and someone likely would notice, there are other clever attacks that one could imagine that would be less obvious.
Comment 4 Josep 'Pep' Turro Mauri 2016-10-18 13:32:36 UTC 
An enhancement request has been raised to be able to extend the uniqueness check to include path segments: bug 1386243.