yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #82239
[Bug 1870881] Re: server shelve API policy is allowed for everyone even policy defaults is admin_or_owner
Reviewed: https://review.opendev.org/717542
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=e4e97e23c13807d6949301a6f53fd8686f4b1802
Submitter: Zuul
Branch: master
commit e4e97e23c13807d6949301a6f53fd8686f4b1802
Author: Ghanshyam Mann <gmann@xxxxxxxxxxxxxxxxx>
Date: Sun Apr 5 01:42:13 2020 -0500
Correct server shelve policy check_str
server shelve API policy is default to admin_or_owner[1]
but API is allowed (which is expected) for everyone.
This is because API does not pass the project_id in policy
target so that oslo policy can decide the ownership[2]. If no
target is passed then, policy.py add the default targets which
is nothing but context.project_id (allow for everyone try to access)
- https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191
Passing the server project_id as target to make it admin_or_owner.
[1] https://github.com/openstack/nova/blob/e4ac401d1a9d5fba24bc22141b362a5400d9d096/nova/api/openstack/compute/shelve.py#L89
[2] https://github.com/openstack/nova/blob/e4ac401d1a9d5fba24bc22141b362a5400d9d096/nova/policies/shelve.py#L37
Closes-bug: #1870881
Change-Id: I493062ed0ee632a9c647cf1f3cf497eebc39c4ca
** Changed in: nova
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1870881
Title:
server shelve API policy is allowed for everyone even policy defaults
is admin_or_owner
Status in OpenStack Compute (nova):
Fix Released
Bug description:
server shelve API policy is default to admin_or_owner[1] but API is
allowed for everyone.
We can see the test trying with other project context can access the API
- https://review.opendev.org/#/c/717182/
This is because API does not pass the server project_id in policy target
- https://github.com/openstack/nova/blob/e4ac401d1a9d5fba24bc22141b362a5400d9d096/nova/api/openstack/compute/shelve.py#L89
and if no target is passed then, policy.py add the default targets which is nothing but context.project_id (allow for everyone try to access)
- https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191
[1]
- https://github.com/openstack/nova/blob/e4ac401d1a9d5fba24bc22141b362a5400d9d096/nova/policies/shelve.py#L37
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1870881/+subscriptions
References