yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #38526
[Bug 1447164] Re: require_admin_context() does not account for policy.json rulesets
Thanks for the additional context, Alex. I'll close this bug (mark it as
invalid).
** Changed in: nova
Status: Confirmed => Invalid
** Changed in: nova
Assignee: Diana Clarke (diana-clarke) => (unassigned)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1447164
Title:
require_admin_context() does not account for policy.json rulesets
Status in OpenStack Compute (nova):
Invalid
Bug description:
The API RBAC is done using a policy.json file which allows fine-grained control over each API endpoint by setting specific rules.
Consequently, some defaulted admin-only endpoints can be opened by modifying their corresponding policy rules to be for anyone.
Unfortunately, in many places (in the DB and at the API level
following the blueprint api-policy-v3 ), there is a call to
context.require_admin_context() which is just checking if the user is
admin or no but doesn't match with the policy rules.
As we all agreed with api-policy-v3 that RBAC should be done at the
API level, there is no reason to keep that call to
context.require_admin_context() and we should assume that policy.json
is the single source of truth for knowing the access rights.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1447164/+subscriptions
References