← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1871665] [NEW] servers actions (many) API policy is allowed for everyone even policy defaults is admin_or_owner

 

Public bug reported:

server actions like confirm_resize, reboot etc API policy is default to
admin_or_owner[1] but API is allowed for everyone.

We can see the test trying with other project context can access the API
- https://review.opendev.org/#/c/718348/

This is because API does not pass the server project_id in policy target
- https://github.com/openstack/nova/blob/cd16ae25c865f25dbb313976b3d8ef9372db80af/nova/api/openstack/compute/servers.py#L872

and if no target is passed then, policy.py add the default targets which is nothing but context.project_id (allow for everyone try to access)
- https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191

[1]
- https://github.com/openstack/nova/blob/cd16ae25c865f25dbb313976b3d8ef9372db80af/nova/policies/servers.py#L285

** Affects: nova
     Importance: Undecided
     Assignee: Ghanshyam Mann (ghanshyammann)
         Status: In Progress


** Tags: policy

** Project changed: neutron => nova

** Tags added: policy

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1871665

Title:
  servers actions (many) API policy is allowed for everyone even policy
  defaults is admin_or_owner

Status in OpenStack Compute (nova):
  In Progress

Bug description:
  server actions like confirm_resize, reboot etc API policy is default
  to admin_or_owner[1] but API is allowed for everyone.

  We can see the test trying with other project context can access the API
  - https://review.opendev.org/#/c/718348/

  This is because API does not pass the server project_id in policy target
  - https://github.com/openstack/nova/blob/cd16ae25c865f25dbb313976b3d8ef9372db80af/nova/api/openstack/compute/servers.py#L872

  and if no target is passed then, policy.py add the default targets which is nothing but context.project_id (allow for everyone try to access)
  - https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191

  [1]
  - https://github.com/openstack/nova/blob/cd16ae25c865f25dbb313976b3d8ef9372db80af/nova/policies/servers.py#L285

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1871665/+subscriptions


Follow ups