yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1445335] Re: create/delete flavor permissions should be controlled by policy.json

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jeremy Stanley <fungi@xxxxxxxxxxx>
Date: Mon, 20 Apr 2015 15:33:23 -0000
Reply-to: Bug 1445335 <1445335@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

You've switched the status of this bug to indicate an exploitable
security vulnerability. Can you please clarify the conditions under
which this bug can be exploited by a malicious actor, and the extent of
the impact it implies?

** Also affects: ossa
   Importance: Undecided
       Status: New

** Changed in: ossa
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1445335

Title:
  create/delete flavor permissions should be controlled by policy.json

Status in OpenStack Compute (Nova):
  Confirmed
Status in OpenStack Security Advisories:
  Incomplete

Bug description:
  The create/delete flavor rest api always expects the user to be of
  admin privileges and ignores the rule defined in the nova/policy.json.
  This behavior is observed after these changes >>
  https://review.openstack.org/#/c/150352/.

  The expected behavior is that the permissions are controlled as per
  the rule defined in the policy file and should not mandate that only
  an admin should be able to create/delete a flavor

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1445335/+subscriptions

References

[Bug 1445335] [NEW] create/delete flavor permissions should be controlled by policy.json
From: Divya K Konoor, 2015-04-17