yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1861464] Re: os-attach-interfaces API policy is allowed for everyone even policy defaults is admin_or_owner

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1861464@xxxxxxxxxxxxxxxxxx>
Date: Mon, 02 Mar 2020 19:33:32 -0000
Reply-to: Bug 1861464 <1861464@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/705135
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=728f2b215e0b9f12ea256acb1e39f7b93d918e6f
Submitter: Zuul
Branch:    master

commit 728f2b215e0b9f12ea256acb1e39f7b93d918e6f
Author: Ghanshyam <gmann@xxxxxxxxxxxxxxxxx>
Date:   Thu Jan 30 18:18:39 2020 -0600

    Fix os-attach-interfaces policy to be admin_or_owner
    
    os-attach-interfaces APi policy is default to admin_or_owner[1] but API
    is allowed for everyone.
    
    We can see the test trying with other project context can access the API
    - https://review.opendev.org/#/c/705126/1
    
    This is because API does not pass the server project_id in policy target[2]
    and if no target is passed then, policy.py add the default targets which is
    nothing but context.project_id (allow for everyone who try to access)[3]
    
    This commit fix this policy by passing the server's project_id in policy
    target.
    
    [1] https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policies/attach_interfaces.py#L28
    [2] https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/api/openstack/compute/attach_interfaces.py#L70
    [3] https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191
    Closes-bug: #1861464
    
    Change-Id: I1e2247884169e6ba3e5302be4323428c67ce7a10


** Changed in: nova
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1861464

Title:
  os-attach-interfaces API policy is allowed for everyone even policy
  defaults is admin_or_owner

Status in OpenStack Compute (nova):
  Fix Released

Bug description:
  os-attach-interfaces APi policy is default to admin_or_owner[1] but
  API is allowed for everyone.

  We can see the test trying with other project context can access the API
  - https://review.opendev.org/#/c/705126/1

  This is because API does not pass the server project_id in policy target
  - https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/api/openstack/compute/attach_interfaces.py#L70

  and if no target is passed then, policy.py add the default targets which is nothing but context.project_id (allow for everyone try to access)
  - https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191

  
  [1]
  - https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policies/attach_interfaces.py#L28

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1861464/+subscriptions

References

[Bug 1861464] [NEW] os-attach-interfaces API policy is allowed for everyone even policy defaults is admin_or_owner
From: Ghanshyam Mann, 2020-01-31