yahoo-eng-team team mailing list archive

[Rick Bartra <rb560u@xxxxxxx>]

Public bug reported:

The Nova Compute services (os-services) API is not granular enough in
the sense that multiple APIs check the same policy action for list,
update, and delete. This does not allow operators with strict security
requirements to have different roles that can perform certain APIs but
not others - it currently is all or nothing. As it currently stands,
listing, updating, and deleting compute services checks the single
policy action 'os_compute_api:os-services' - which prevents operators
who want read only roles or other sub-admin type roles. To further
achieve RBAC granularity, new policy actions should be introduced and
checked by the os-services API.

** Affects: nova
     Importance: Undecided
     Assignee: Rick Bartra (rb560u)
         Status: New

** Changed in: nova
     Assignee: (unassigned) => Rick Bartra (rb560u)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1778994

Title:
  Compute services (os-services) API not granular enough by policy and
  code

Status in OpenStack Compute (nova):
  New

Bug description:
  The Nova Compute services (os-services) API is not granular enough in
  the sense that multiple APIs check the same policy action for list,
  update, and delete. This does not allow operators with strict security
  requirements to have different roles that can perform certain APIs but
  not others - it currently is all or nothing. As it currently stands,
  listing, updating, and deleting compute services checks the single
  policy action 'os_compute_api:os-services' - which prevents operators
  who want read only roles or other sub-admin type roles. To further
  achieve RBAC granularity, new policy actions should be introduced and
  checked by the os-services API.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1778994/+subscriptions