Bug 1382010 - Unable to create path based routes in different project
Summary: Unable to create path based routes in different project
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 3.2.1
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Ben Bennett
QA Contact: zhaozhanqi
URL:
Whiteboard:
Depends On:
Blocks: 1267746
TreeView+ depends on / blocked
 
Reported: 2016-10-05 13:58 UTC by Jonas Nordell
Modified: 2022-08-04 22:20 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-10-07 14:07:13 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Jonas Nordell 2016-10-05 13:58:01 UTC
Description of problem:

Creating path based routes with the same hostname is allowed in the same project. So I can create two routes with the same hostname but with different paths pointing to different services.

But if I try to create a third route in a different project with the same hostname but a different path I will get a route with the HOST/PORT of the value HostAlreadyClaimed

It should not matter if I'm in the same project or different project? As long as the path is different?


Version-Release number of selected component (if applicable):
3.2.1

How reproducible:

Always 

Steps to Reproduce:

Create a route with hostname and one path in one project and then create a route in different project with the same hostname but with different path

Actual results:


Expected results:


Additional info:
Also tested on 3.3 with the same result

Comment 3 Ben Bennett 2016-10-07 14:07:13 UTC
https://github.com/openshift/openshift-docs/pull/2886 is already in progress to address that.
 
We do not allow it because it's a security risk.  Let's say that namespace A defines:
  bankofamerica.com path / -> banking app

And the login url is:
  bankofamerica.com/login

That will route to the banking app because / matches everything under it.

Now let's say namespace B then defines:
  bankofamerica.com path /login -> hostile app

Then they can see all of the credentials that are attempted on bankofamerica.com.  While this is heavy-handed and will prevent all logins, and someone likely would notice, there are other clever attacks that one could imagine that would be less obvious.

Comment 4 Josep 'Pep' Turro Mauri 2016-10-18 13:32:36 UTC
An enhancement request has been raised to be able to extend the uniqueness check to include path segments: bug 1386243.


Note You need to log in before you can comment on or make changes to this bug.