yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1870226] Re: os-security-groups API policy is allowed for everyone even policy defaults is admin_or_owner

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Balazs Gibizer <1870226@xxxxxxxxxxxxxxxxxx>
Date: Fri, 06 Nov 2020 08:48:33 -0000
Reply-to: Bug 1870226 <1870226@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: nova
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1870226

Title:
  os-security-groups API policy is allowed for everyone even policy
  defaults is admin_or_owner

Status in OpenStack Compute (nova):
  Fix Released

Bug description:
  os-security-groups server API policy is default to admin_or_owner[1]
  but API is allowed for everyone.

  We can see the test trying with other project context can access the API
  - https://review.opendev.org/#/c/716779/

  This is because API does not pass the server project_id in policy target
  - https://github.com/openstack/nova/blob/7b51647f17c88c7c1ae321c59ab8a98c586d4b67/nova/api/openstack/compute/security_groups.py#L427

  and if no target is passed then, policy.py add the default targets which is nothing but context.project_id (allow for everyone try to access)
  - https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191

  [1]
  - https://github.com/openstack/nova/blob/7b51647f17c88c7c1ae321c59ab8a98c586d4b67/nova/policies/security_groups.py#L27

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1870226/+subscriptions

References

[Bug 1870226] [NEW] os-security-groups API policy is allowed for everyone even policy defaults is admin_or_owner
From: Ghanshyam Mann, 2020-04-01