yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1447164] [NEW] require_admin_context() does not account for policy.json rulesets

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Sylvain Bauza <sbauza@xxxxxxx>
Date: Wed, 22 Apr 2015 13:22:42 -0000
Reply-to: Bug 1447164 <1447164@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

The API RBAC is done using a policy.json file which allows fine-grained control over each API endpoint by setting specific rules.
Consequently, some defaulted admin-only endpoints can be opened by modifying their corresponding policy rules to be for anyone.

Unfortunately, in many places (in the DB and at the API level following
the blueprint api-policy-v3 ), there is a call to
context.require_admin_context() which is just checking if the user is
admin or no but doesn't match with the policy rules.

As we all agreed with api-policy-v3 that RBAC should be done at the API
level, there is no reason to keep that call to
context.require_admin_context() and we should assume that policy.json is
the single source of truth for knowing the access rights.

** Affects: nova
     Importance: Undecided
         Status: New


** Tags: api

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1447164

Title:
  require_admin_context() does not account for policy.json rulesets

Status in OpenStack Compute (Nova):
  New

Bug description:
  The API RBAC is done using a policy.json file which allows fine-grained control over each API endpoint by setting specific rules.
  Consequently, some defaulted admin-only endpoints can be opened by modifying their corresponding policy rules to be for anyone.

  Unfortunately, in many places (in the DB and at the API level
  following the blueprint api-policy-v3 ), there is a call to
  context.require_admin_context() which is just checking if the user is
  admin or no but doesn't match with the policy rules.

  As we all agreed with api-policy-v3 that RBAC should be done at the
  API level, there is no reason to keep that call to
  context.require_admin_context() and we should assume that policy.json
  is the single source of truth for knowing the access rights.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1447164/+subscriptions

Follow ups

[Bug 1447164] Re: require_admin_context() does not account for policy.json rulesets
From: Diana Clarke, 2015-09-15
[Bug 1447164] [NEW] require_admin_context() does not account for policy.json rulesets
From: Sylvain Bauza, 2015-04-22

References

[Bug 1447164] [NEW] require_admin_context() does not account for policy.json rulesets
From: Sylvain Bauza, 2015-04-22