yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1869543] Re: GET limits API policy is allowed for everyone but policy defaults is admin_or_owner

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1869543@xxxxxxxxxxxxxxxxxx>
Date: Wed, 01 Apr 2020 18:55:36 -0000
Reply-to: Bug 1869543 <1869543@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/715672
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=4d37ffc111ae8bb43bd33fe995bc3686b065131b
Submitter: Zuul
Branch:    master

commit 4d37ffc111ae8bb43bd33fe995bc3686b065131b
Author: Ghanshyam Mann <gmann@xxxxxxxxxxxxxxxxx>
Date:   Sat Mar 28 21:35:59 2020 -0500

    Correct limits policy check_str
    
    limits API policy is default to admin_or_owner[1]
    but API is allowed (which is expected) for everyone.
    
    This is because API does not pass the project_id in policy
    target so that oslo policy can decide the ownership[2]. If no
    target is passed then, policy.py add the default targets which
    is nothing but context.project_id (allow for everyone try to access)
    - https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191
    
    There is no owner things in limits and every projects can get
    its own limits. We need to make default to RULE_ANY which means
    allowed to everyone.
    
    [1] https://github.com/openstack/nova/blob/403fc671a6877889d6fb70360e002d9b22b98fc9/nova/policies/limits.py#L27
    Closes-bug: #1869543
    
    Change-Id: I80617e57a6e062e6038e1b3447e116a5f9e23d24


** Changed in: nova
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1869543

Title:
  GET limits API policy is allowed for everyone but policy defaults is
  admin_or_owner

Status in OpenStack Compute (nova):
  Fix Released

Bug description:
  limits API policy is allowed for everyone but policy is default to
  admin_or_owner[1].

  This is because API does not pass the project_id in policy target so that oslo policy can decide the ownership.
  https://github.com/openstack/nova/blob/403fc671a6877889d6fb70360e002d9b22b98fc9/nova/api/openstack/compute/limits.py#L77

  and if no target is passed then, policy.py add the default targets which is nothing but context.project_id (allow for everyone try to access)
  - https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191

  There is no owner things in limits and every projects can get its own
  limits. We need to make default to RULE_ANY which means allowed to
  everyone.

  [1]
  - https://github.com/openstack/nova/blob/403fc671a6877889d6fb70360e002d9b22b98fc9/nova/policies/limits.py#L27

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1869543/+subscriptions

References

[Bug 1869543] [NEW] GET limits API policy is allowed for everyone but policy defaults is admin_or_owner
From: Ghanshyam Mann, 2020-03-29