yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1581203] Re: Default policy allows unrestricted CRUD on os-server-tags

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1581203@xxxxxxxxxxxxxxxxxx>
Date: Wed, 29 Mar 2017 11:31:39 -0000
Reply-to: Bug 1581203 <1581203@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/396420
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=f0c0621aa09a6f659e9080313962b99adbb63459
Submitter: Jenkins
Branch:    master

commit f0c0621aa09a6f659e9080313962b99adbb63459
Author: Sujitha <sujitha.neti@xxxxxxxxx>
Date:   Thu Nov 3 17:16:56 2016 +0000

    Change os-server-tags default policy
    
    os-server-tags operations should be limited only to admin or owner
    of the server. This patch changes the default policy to
    from ANY to ADMIN_OR_OWNER.
    
    This patch doesn't address the actual policy check at the API level.
    This would be fixed as part of a wider effort. For now, we maintain
    consistency with other similar APIs.
    
    Change-Id: If5f48fad9f040dd08060b4a86858a3b223550956
    Closes-Bug: #1581203


** Changed in: nova
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1581203

Title:
  Default policy allows unrestricted CRUD on os-server-tags

Status in OpenStack Compute (nova):
  Fix Released

Bug description:
  The default policy for os-server-tags listed here
  (https://github.com/openstack/nova/blob/master/etc/nova/policy.json#L448-L453)
  allow all users to do any CRUD operations on all server tags. This
  should be limited down to only admin_or_owner.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1581203/+subscriptions

References

[Bug 1581203] [NEW] Default policy allows unrestricted CRUD on os-server-tags
From: Ryan Rossiter, 2016-05-12