yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1862484] Re: GET os-availability-zone API policy is allowed for everyone even policy defaults is admin_or_owner

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1862484@xxxxxxxxxxxxxxxxxx>
Date: Mon, 02 Mar 2020 13:49:27 -0000
Reply-to: Bug 1862484 <1862484@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/706683
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=b8c2de86ed46caf7768027e82519c2418989c36b
Submitter: Zuul
Branch:    master

commit b8c2de86ed46caf7768027e82519c2418989c36b
Author: Ghanshyam Mann <gmann@xxxxxxxxxxxxxxxxx>
Date:   Sat Feb 8 17:45:12 2020 -0600

    Correct os-availability-zone policy check_str
    
    os-availability-zone API policy is default to admin_or_owner[1]
    but API is allowed for everyone.
    
    This is because API does not pass the project_id in policy
    target so that oslo policy can decide the ownership[2]. If no
    target is passed then, policy.py add the default targets which
    is nothing but context.project_id (allow for everyone try to access)
    - https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191
    
    AZ is user facing thing so that any user can list the AZ and use the
    same for creating server. Code is behaving as expected but policy
    rule check_str is confusing so let's correct it to base.RULE_ANY.
    
    [1] https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policies/attach_interfaces.py#L28
    [2] https://github.com/openstack/nova/blob/1fcd74730d343b7cee12a0a50ea537dc4ff87f65/nova/api/openstack/compute/availability_zone.py#L111
    [3] https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191
    
    Closes-bug: #1862484
    
    Change-Id: If599a984a33081a93514b1a2ea02c0d5b850da8e


** Changed in: nova
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1862484

Title:
  GET os-availability-zone API policy is allowed for everyone even
  policy defaults is admin_or_owner

Status in OpenStack Compute (nova):
  Fix Released

Bug description:
  os-availability-zone API policy is default to admin_or_owner[1] but
  API is allowed for everyone.

  This is because API does not pass the project_id in policy target so that oslo policy can decide the ownership. 
  https://github.com/openstack/nova/blob/1fcd74730d343b7cee12a0a50ea537dc4ff87f65/nova/api/openstack/compute/availability_zone.py#L111

  and if no target is passed then, policy.py add the default targets which is nothing but context.project_id (allow for everyone try to access)
  - https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191

  We need to default the GET /os-availability-zone policy same as GET
  details /os-availability-zone which is admin.

  [1]
  - https://github.com/openstack/nova/blob/1fcd74730d343b7cee12a0a50ea537dc4ff87f65/nova/policies/availability_zone.py#L27

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1862484/+subscriptions

References

[Bug 1862484] [NEW] GET os-availability-zone API policy is allowed for everyone even policy defaults is admin_or_owner
From: Ghanshyam Mann, 2020-02-08