← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #82110

[Bug 1869396] Re: os-ips API policy is allowed for everyone even policy defaults is admin_or_owner

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.opendev.org/715496
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=58701be6159fff33f1800f6047361176b74d512b
Submitter: Zuul
Branch:    master

commit 58701be6159fff33f1800f6047361176b74d512b
Author: Ghanshyam Mann <gmann@xxxxxxxxxxxxxxxxx>
Date:   Fri Mar 27 07:43:16 2020 -0500

    Fix os-ips policy to be admin_or_owner
    
    os-ips API policy is default to admin_or_owner[1] but API
    is allowed for everyone.
    
    We can see the test trying with other project context can access the API
    - https://review.opendev.org/#/c/715477
    
    This is because API does not pass the server project_id in policy target[2]
    and if no target is passed then, policy.py add the default targets which is
    nothing but context.project_id (allow for everyone who try to access)[3]
    
    This commit fix this policy by passing the server's project_id in policy
    target.
    
    Closes-bug: #1869396
    [1] https://github.com/openstack/nova/blob/eaf08c0b7b8250408e5d10c6471f2e3155cc0edb/nova/policies/ips.py#L27
    
    Change-Id: Ie7bcb6537f90813cc5b23d69c886037d25b15a42


** Changed in: nova
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1869396

Title:
  os-ips API policy is allowed for everyone even policy defaults is
  admin_or_owner

Status in OpenStack Compute (nova):
  Fix Released

Bug description:
  os-ips API policy is default to admin_or_owner[1] but API is allowed
  for everyone.

  We can see the test trying with other project context can access the API
  - https://review.opendev.org/#/c/715477/

  This is because API does not pass the server project_id in policy target
  - https://github.com/openstack/nova/blob/96f6622316993fb41f4c5f37852d4c879c9716a5/nova/api/openstack/compute/ips.py#L41

  and if no target is passed then, policy.py add the default targets which is nothing but context.project_id (allow for everyone try to access)
  - https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191

  [1]
  - https://github.com/openstack/nova/blob/eaf08c0b7b8250408e5d10c6471f2e3155cc0edb/nova/policies/ips.py#L27

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1869396/+subscriptions

References

  Thread PreviousDate PreviousThread Next