← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1447164] Re: require_admin_context() does not account for policy.json rulesets

 

Thanks for the additional context, Alex. I'll close this bug (mark it as
invalid).

** Changed in: nova
       Status: Confirmed => Invalid

** Changed in: nova
     Assignee: Diana Clarke (diana-clarke) => (unassigned)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1447164

Title:
  require_admin_context() does not account for policy.json rulesets

Status in OpenStack Compute (nova):
  Invalid

Bug description:
  The API RBAC is done using a policy.json file which allows fine-grained control over each API endpoint by setting specific rules.
  Consequently, some defaulted admin-only endpoints can be opened by modifying their corresponding policy rules to be for anyone.

  Unfortunately, in many places (in the DB and at the API level
  following the blueprint api-policy-v3 ), there is a call to
  context.require_admin_context() which is just checking if the user is
  admin or no but doesn't match with the policy rules.

  As we all agreed with api-policy-v3 that RBAC should be done at the
  API level, there is no reason to keep that call to
  context.require_admin_context() and we should assume that policy.json
  is the single source of truth for knowing the access rights.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1447164/+subscriptions


References