yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #82329
[Bug 1871665] Re: servers actions (many) API policy is allowed for everyone even policy defaults is admin_or_owner
Reviewed: https://review.opendev.org/718501
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=2a4a7162099ebb61c6d5eb5b410f710b3509a031
Submitter: Zuul
Branch: master
commit 2a4a7162099ebb61c6d5eb5b410f710b3509a031
Author: Ghanshyam Mann <gmann@xxxxxxxxxxxxxxxxx>
Date: Wed Apr 8 10:38:49 2020 -0500
Fix servers policy for admin_or_owner
servers API policy is default to admin_or_owner[1] but API
is allowed for everyone.
We can see the test trying with other project context can access the API
- https://review.opendev.org/#/c/717204
This is because API does not pass the server project_id in policy target[2]
and if no target is passed then, policy.py add the default targets which is
nothing but context.project_id (allow for everyone who try to access)[3]
This commit fix this policy by passing the server's project_id in policy
target.
Closes-bug: #1871665
Partial implement blueprint policy-defaults-refresh
[1] https://github.com/openstack/nova/blob/cd16ae25c865f25dbb313976b3d8ef9372db80af/nova/policies/servers.py#L285
[2] https://github.com/openstack/nova/blob/cd16ae25c865f25dbb313976b3d8ef9372db80af/nova/api/openstack/compute/servers.py#L872
[3] https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191
Change-Id: Ia8234fd9f4ee1871d6f225c8bd4e4adc5289d605
** Changed in: nova
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1871665
Title:
servers actions (many) API policy is allowed for everyone even policy
defaults is admin_or_owner
Status in OpenStack Compute (nova):
Fix Released
Bug description:
server actions like confirm_resize, reboot etc API policy is default
to admin_or_owner[1] but API is allowed for everyone.
We can see the test trying with other project context can access the API
- https://review.opendev.org/#/c/718348/
This is because API does not pass the server project_id in policy target
- https://github.com/openstack/nova/blob/cd16ae25c865f25dbb313976b3d8ef9372db80af/nova/api/openstack/compute/servers.py#L872
and if no target is passed then, policy.py add the default targets which is nothing but context.project_id (allow for everyone try to access)
- https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191
[1]
- https://github.com/openstack/nova/blob/cd16ae25c865f25dbb313976b3d8ef9372db80af/nova/policies/servers.py#L285
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1871665/+subscriptions
References