yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #94236
[Bug 2072639] [NEW] User with reader role can perform similar operation as other roles
Public bug reported:
Openstack Release: Zed (openstack deployed using openstack-helm)
OS: Ubuntu 22.04.2 LTS (Jammy)
Reader role in openstack can perform all the operations similar to
member role. It looks like it has similar permissions as member role.
I tried to assign reader role to one of the newly created user and
assign it to some project where some other member role user was also a
part of it. I created Instance using member role and tried to delete it
using reader role user which I managed to delete it. This is not only
for instances reader role can also modify other openstack resources as
well such as networks, volumes...etc
Reader role should only have limited access just to monitor the
resources. It should not modify them.
I have also tried to add [oslo_policy] enforce_new_defaults = True in
nova.conf but it did not helped. Also I tried to add it to keystone.conf
where I was not even able to perform any operation with it in horizon.
For e.g if i would have click on launch instance horizon was logging me
out. I also realize that I was getting "You are not authorized to
perform this operation" Error. In this case I was logged in as an admin.
I have attached nova policy file for reference.
Is there any specific policy configuration needed or some changes in the
code of nova and keystone ?
** Affects: keystone
Importance: Undecided
Status: New
** Attachment added: "policy.yaml"
https://bugs.launchpad.net/bugs/2072639/+attachment/5795824/+files/policy.yaml
** Description changed:
Openstack Release: Zed (openstack deployed using openstack-helm)
OS: Ubuntu 22.04.2 LTS (Jammy)
Reader role in openstack can perform all the operations similar to for
e.g member role. It looks like it has similar permissions as member role
-
- I tried to assign reader role to one of the newly created user and assign it to some project where some other member role user was also a part of it. I created Instance using member role and tried to delete it using reader role user which I managed to delete it. This is not only for instances reader role can also modify other openstack resources as well such as networks, volumes...etc
+ I tried to assign reader role to one of the newly created user and
+ assign it to some project where some other member role user was also a
+ part of it. I created Instance using member role and tried to delete it
+ using reader role user which I managed to delete it. This is not only
+ for instances reader role can also modify other openstack resources as
+ well such as networks, volumes...etc
Reader role should only have limited access just to monitor the
resources. It should not modify them.
+ I have also tried to add [oslo_policy] enforce_new_defaults = True in
+ nova.conf but did not helped. Also I tried to add it to keystone.conf
+ where I was not even able to perform any operation with it in horizon.
+ For e.g if i would have click on launch instance horizon was logging me
+ out.
- I have also tried to add [oslo_policy] enforce_new_defaults = True in nova.conf but did not helped. Also I tried to add it to keystone.conf where I was not even able to perform any operation with it in horizon. For e.g if i would have click on launch instance horizon was logging me out.
+ I have attached nova policy file for reference.
Is there any specific policy configuration needed or some changes in the
code of nova and keystone ?
** Description changed:
Openstack Release: Zed (openstack deployed using openstack-helm)
OS: Ubuntu 22.04.2 LTS (Jammy)
- Reader role in openstack can perform all the operations similar to for
- e.g member role. It looks like it has similar permissions as member role
+ Reader role in openstack can perform all the operations similar to
+ member role. It looks like it has similar permissions as member role.
I tried to assign reader role to one of the newly created user and
assign it to some project where some other member role user was also a
part of it. I created Instance using member role and tried to delete it
using reader role user which I managed to delete it. This is not only
for instances reader role can also modify other openstack resources as
well such as networks, volumes...etc
Reader role should only have limited access just to monitor the
resources. It should not modify them.
I have also tried to add [oslo_policy] enforce_new_defaults = True in
nova.conf but did not helped. Also I tried to add it to keystone.conf
where I was not even able to perform any operation with it in horizon.
For e.g if i would have click on launch instance horizon was logging me
out.
I have attached nova policy file for reference.
Is there any specific policy configuration needed or some changes in the
code of nova and keystone ?
** Description changed:
Openstack Release: Zed (openstack deployed using openstack-helm)
OS: Ubuntu 22.04.2 LTS (Jammy)
Reader role in openstack can perform all the operations similar to
member role. It looks like it has similar permissions as member role.
I tried to assign reader role to one of the newly created user and
assign it to some project where some other member role user was also a
part of it. I created Instance using member role and tried to delete it
using reader role user which I managed to delete it. This is not only
for instances reader role can also modify other openstack resources as
well such as networks, volumes...etc
Reader role should only have limited access just to monitor the
resources. It should not modify them.
I have also tried to add [oslo_policy] enforce_new_defaults = True in
- nova.conf but did not helped. Also I tried to add it to keystone.conf
+ nova.conf but it did not helped. Also I tried to add it to keystone.conf
where I was not even able to perform any operation with it in horizon.
For e.g if i would have click on launch instance horizon was logging me
out.
I have attached nova policy file for reference.
Is there any specific policy configuration needed or some changes in the
code of nova and keystone ?
** Description changed:
Openstack Release: Zed (openstack deployed using openstack-helm)
OS: Ubuntu 22.04.2 LTS (Jammy)
Reader role in openstack can perform all the operations similar to
member role. It looks like it has similar permissions as member role.
I tried to assign reader role to one of the newly created user and
assign it to some project where some other member role user was also a
part of it. I created Instance using member role and tried to delete it
using reader role user which I managed to delete it. This is not only
for instances reader role can also modify other openstack resources as
well such as networks, volumes...etc
Reader role should only have limited access just to monitor the
resources. It should not modify them.
I have also tried to add [oslo_policy] enforce_new_defaults = True in
nova.conf but it did not helped. Also I tried to add it to keystone.conf
where I was not even able to perform any operation with it in horizon.
For e.g if i would have click on launch instance horizon was logging me
- out.
+ out. I also realize that I was getting "You are not authorized to
+ perform this operation" Error. In this case I was logged in as an admin.
I have attached nova policy file for reference.
Is there any specific policy configuration needed or some changes in the
code of nova and keystone ?
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2072639
Title:
User with reader role can perform similar operation as other roles
Status in OpenStack Identity (keystone):
New
Bug description:
Openstack Release: Zed (openstack deployed using openstack-helm)
OS: Ubuntu 22.04.2 LTS (Jammy)
Reader role in openstack can perform all the operations similar to
member role. It looks like it has similar permissions as member role.
I tried to assign reader role to one of the newly created user and
assign it to some project where some other member role user was also a
part of it. I created Instance using member role and tried to delete
it using reader role user which I managed to delete it. This is not
only for instances reader role can also modify other openstack
resources as well such as networks, volumes...etc
Reader role should only have limited access just to monitor the
resources. It should not modify them.
I have also tried to add [oslo_policy] enforce_new_defaults = True in
nova.conf but it did not helped. Also I tried to add it to
keystone.conf where I was not even able to perform any operation with
it in horizon. For e.g if i would have click on launch instance
horizon was logging me out. I also realize that I was getting "You are
not authorized to perform this operation" Error. In this case I was
logged in as an admin.
I have attached nova policy file for reference.
Is there any specific policy configuration needed or some changes in
the code of nova and keystone ?
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2072639/+subscriptions