yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1632820] Re: os-server-groups policy doesn't separate CRUD actions

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Liyingjun <yingjun.li@xxxxxxxxxxxxxxx>
Date: Fri, 16 Dec 2016 02:03:15 -0000
Reply-to: Bug 1632820 <1632820@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Seems it already done, part of generated policy file:
"os_compute_api:os-server-groups:discoverable": "@"
#
"os_compute_api:os-server-groups": "rule:admin_or_owner"
#
"os_compute_api:os-server-groups:create": "rule:os_compute_api:os-server-groups"
#
"os_compute_api:os-server-groups:delete": "rule:os_compute_api:os-server-groups"
#
"os_compute_api:os-server-groups:index": "rule:os_compute_api:os-server-groups"
#
"os_compute_api:os-server-groups:show": "rule:os_compute_api:os-server-groups"

** Changed in: nova
       Status: Confirmed => Opinion

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1632820

Title:
  os-server-groups policy doesn't separate CRUD actions

Status in OpenStack Compute (nova):
  Opinion

Bug description:
  nova.api.openstack.compute.server_groups.ServerGroupController uses
  the same policy check (os_compute_api:os-server-groups) for show,
  delete, index, and create, instead of separating these into separate
  checks (e.g. os_compute_api:os-server-groups:delete). This makes it
  impossible to customize policy such that some roles are allowed to do
  some but not all of these operations, E.g. show/index server groups
  but not create/delete them.

  Found with Newton.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1632820/+subscriptions

References

[Bug 1632820] [NEW] os-server-groups policy doesn't separate CRUD actions
From: Matthew Edmonds, 2016-10-12