yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1782840] Re: No policy enforcement for several delete metadef APIs

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1782840@xxxxxxxxxxxxxxxxxx>
Date: Tue, 07 Apr 2020 19:29:45 -0000
Reply-to: Bug 1782840 <1782840@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/584530
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=d2cc0dc5663657ae80550954269e19a6a8157501
Submitter: Zuul
Branch:    master

commit d2cc0dc5663657ae80550954269e19a6a8157501
Author: Rick Bartra <rb560u@xxxxxxx>
Date:   Fri Jul 20 17:42:09 2018 -0400

    Add Policy enforcement for several Metadata Definition delete APIs
    
    Several Metadata Definition delete APIs do not have RBAC. This
    patchset add policy enforcment to the following APIs:
    
        - `Delete namespace`
        - `Delete object`
        - `Remove resource type association`
        - `Remove property definition`
        - `Delete tag definition`
        - `Delete all tag definitions`
    
    The following actions are enforce and added to the policy.json:
    
        - `delete_metadef_namespace`
        - `delete_metadef_object`
        - `remove_metadef_resource_type_association`
        - `remove_metadef_property`
        - `delete_metadef_tag`
        - `delete_metadef_tags`
    
    Most other APIs have policy enforcement, so the ones above should as
    well. Without adding policy enforcement for the above APIs, all roles
    can peform the delete APIs noted above.
    
    Change-Id: I8cd6eb26b0d3401fa4667384c31e4c56d838d42b
    Closes-Bug: #1782840
    Co-Authored-By: julian.sy@xxxxxxx


** Changed in: glance
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1782840

Title:
  No policy enforcement for several delete metadef APIs

Status in Glance:
  Fix Released

Bug description:
  There is no policy enforcement for the following APIs:

  Delete namespace: https://developer.openstack.org/api-ref/image/v2
  /metadefs-index.html#delete-namespace

  Delete object: https://developer.openstack.org/api-ref/image/v2
  /metadefs-index.html#delete-object

  Remove resource type association: https://developer.openstack.org/api-
  ref/image/v2/metadefs-index.html#remove-resource-type-association

  Remove property definition: https://developer.openstack.org/api-
  ref/image/v2/metadefs-index.html#remove-property-definition

  Delete tag definition: https://developer.openstack.org/api-
  ref/image/v2/metadefs-index.html#delete-tag-definition

  Most other APIs have policy enforcement, so the ones above should as
  well. Without adding policy enforcement for the above APIs, even the
  least privileged users (i.e. user with reader role) can perform the
  delete APIs noted above.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1782840/+subscriptions

References

[Bug 1782840] [NEW] No policy enforcement for several delete metadef APIs
From: Rick Bartra, 2018-07-20