yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1854053] [NEW] _add_tenant_access silently ignores 403

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Surya Seetharaman <1854053@xxxxxxxxxxxxxxxxxx>
Date: Tue, 26 Nov 2019 13:00:51 -0000
Reply-to: Bug 1854053 <1854053@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Running openstack flavor set from a project in which a user has an admin
role (but the project is not an admin project) allows the provided
project to be mapped to the flavor even if the permissions are
insufficient for the user to verify the project provided i.e the
generated 403 is ignored by nova silently at this point in code:
https://github.com/openstack/nova/blob/d621914442855ce67ce0b99003f7e69e8ee515e6/nova/api/openstack/identity.py#L61.
This can in turn allow random projects to be mapped to flavors.

** Affects: nova
     Importance: Undecided
         Status: New


** Tags: api

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1854053

Title:
  _add_tenant_access silently ignores 403

Status in OpenStack Compute (nova):
  New

Bug description:
  Running openstack flavor set from a project in which a user has an
  admin role (but the project is not an admin project) allows the
  provided project to be mapped to the flavor even if the permissions
  are insufficient for the user to verify the project provided i.e the
  generated 403 is ignored by nova silently at this point in code:
  https://github.com/openstack/nova/blob/d621914442855ce67ce0b99003f7e69e8ee515e6/nova/api/openstack/identity.py#L61.
  This can in turn allow random projects to be mapped to flavors.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1854053/+subscriptions