yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1870872] Re: server topology API policy is allowed for everyone even policy defaults is admin_or_owner

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1870872@xxxxxxxxxxxxxxxxxx>
Date: Wed, 08 Apr 2020 18:49:15 -0000
Reply-to: Bug 1870872 <1870872@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/717525
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=88e399c98b2abd3e851b1c1c5124d5f1899d6f19
Submitter: Zuul
Branch:    master

commit 88e399c98b2abd3e851b1c1c5124d5f1899d6f19
Author: Ghanshyam Mann <gmann@xxxxxxxxxxxxxxxxx>
Date:   Sat Apr 4 23:48:33 2020 -0500

    Correct server topology policy check_str
    
    server topology API policy is default to admin_or_owner[1]
    but API is allowed (which is expected) for everyone.
    
    This is because API does not pass the project_id in policy
    target so that oslo policy can decide the ownership[2]. If no
    target is passed then, policy.py add the default targets which
    is nothing but context.project_id (allow for everyone try to access)
    - https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191
    
    Passing the server project_id as target to make it admin_or_owner.
    
    [1] https://github.com/openstack/nova/blob/e4ac401d1a9d5fba24bc22141b362a5400d9d096/nova/policies/server_topology.py#L24
    [2] https://github.com/openstack/nova/blob/e4ac401d1a9d5fba24bc22141b362a5400d9d096/nova/api/openstack/compute/server_topology.py#L30
    
    Change-Id: I3296e08f16adf95949822bc43c03ef42fed74a4a
    Closes-bug: #1870872


** Changed in: nova
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1870872

Title:
  server topology API policy is allowed for everyone even policy
  defaults is admin_or_owner

Status in OpenStack Compute (nova):
  Fix Released

Bug description:
  server topology index policy is default to admin_or_owner[1] but API
  is allowed for everyone.

  We can see the test trying with other project context can access the API
  - https://review.opendev.org/#/c/717524/

  This is because API does not pass the server project_id in policy target
  - https://github.com/openstack/nova/blob/e4ac401d1a9d5fba24bc22141b362a5400d9d096/nova/api/openstack/compute/server_topology.py#L30

  and if no target is passed then, policy.py add the default targets which is nothing but context.project_id (allow for everyone try to access)
  - https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191

  [1]
  - https://github.com/openstack/nova/blob/e4ac401d1a9d5fba24bc22141b362a5400d9d096/nova/policies/server_topology.py#L24

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1870872/+subscriptions

References

[Bug 1870872] [NEW] server topology API policy is allowed for everyone even policy defaults is admin_or_owner
From: Ghanshyam Mann, 2020-04-05