← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 2072639] [NEW] User with reader role can perform similar operation as other roles

 

Public bug reported:

Openstack Release: Zed (openstack deployed using openstack-helm)
OS: Ubuntu 22.04.2 LTS (Jammy)

Reader role in openstack can perform all the operations similar to
member role. It looks like it has similar permissions as member role.

I tried to assign reader role to one of the newly created user and
assign it to some project where some other member role user was also a
part of it. I created Instance using member role and tried to delete it
using reader role user which I managed to delete it. This is not only
for instances reader role can also modify other openstack resources as
well such as networks, volumes...etc

Reader role should only have limited access just to monitor the
resources. It should not modify them.

I have also tried to add  [oslo_policy] enforce_new_defaults = True in
nova.conf but it did not helped. Also I tried to add it to keystone.conf
where I was not even able to perform any operation with it in horizon.
For e.g if i would have click on launch instance horizon was logging me
out. I also realize that I was getting "You are not authorized to
perform this operation" Error. In this case I was logged in as an admin.

I have attached nova policy file for reference.

Is there any specific policy configuration needed or some changes in the
code of nova and  keystone ?

** Affects: keystone
     Importance: Undecided
         Status: New

** Attachment added: "policy.yaml"
   https://bugs.launchpad.net/bugs/2072639/+attachment/5795824/+files/policy.yaml

** Description changed:

  Openstack Release: Zed (openstack deployed using openstack-helm)
  OS: Ubuntu 22.04.2 LTS (Jammy)
  
  Reader role in openstack can perform all the operations similar to for
  e.g member role. It looks like it has similar permissions as member role
  
- 
- I tried to assign reader role to one of the newly created user and assign it to some project where some other member role user was also a part of it. I created Instance using member role and tried to delete it using reader role user which I managed to delete it. This is not only for instances reader role can also modify other openstack resources as well such as networks, volumes...etc
+ I tried to assign reader role to one of the newly created user and
+ assign it to some project where some other member role user was also a
+ part of it. I created Instance using member role and tried to delete it
+ using reader role user which I managed to delete it. This is not only
+ for instances reader role can also modify other openstack resources as
+ well such as networks, volumes...etc
  
  Reader role should only have limited access just to monitor the
  resources. It should not modify them.
  
+ I have also tried to add  [oslo_policy] enforce_new_defaults = True in
+ nova.conf but did not helped. Also I tried to add it to keystone.conf
+ where I was not even able to perform any operation with it in horizon.
+ For e.g if i would have click on launch instance horizon was logging me
+ out.
  
- I have also tried to add  [oslo_policy] enforce_new_defaults = True in nova.conf but did not helped. Also I tried to add it to keystone.conf where I was not even able to perform any operation with it in horizon. For e.g if i would have click on launch instance horizon was logging me out. 
+ I have attached nova policy file for reference.
  
  Is there any specific policy configuration needed or some changes in the
  code of nova and  keystone ?

** Description changed:

  Openstack Release: Zed (openstack deployed using openstack-helm)
  OS: Ubuntu 22.04.2 LTS (Jammy)
  
- Reader role in openstack can perform all the operations similar to for
- e.g member role. It looks like it has similar permissions as member role
+ Reader role in openstack can perform all the operations similar to
+ member role. It looks like it has similar permissions as member role.
  
  I tried to assign reader role to one of the newly created user and
  assign it to some project where some other member role user was also a
  part of it. I created Instance using member role and tried to delete it
  using reader role user which I managed to delete it. This is not only
  for instances reader role can also modify other openstack resources as
  well such as networks, volumes...etc
  
  Reader role should only have limited access just to monitor the
  resources. It should not modify them.
  
  I have also tried to add  [oslo_policy] enforce_new_defaults = True in
  nova.conf but did not helped. Also I tried to add it to keystone.conf
  where I was not even able to perform any operation with it in horizon.
  For e.g if i would have click on launch instance horizon was logging me
  out.
  
  I have attached nova policy file for reference.
  
  Is there any specific policy configuration needed or some changes in the
  code of nova and  keystone ?

** Description changed:

  Openstack Release: Zed (openstack deployed using openstack-helm)
  OS: Ubuntu 22.04.2 LTS (Jammy)
  
  Reader role in openstack can perform all the operations similar to
  member role. It looks like it has similar permissions as member role.
  
  I tried to assign reader role to one of the newly created user and
  assign it to some project where some other member role user was also a
  part of it. I created Instance using member role and tried to delete it
  using reader role user which I managed to delete it. This is not only
  for instances reader role can also modify other openstack resources as
  well such as networks, volumes...etc
  
  Reader role should only have limited access just to monitor the
  resources. It should not modify them.
  
  I have also tried to add  [oslo_policy] enforce_new_defaults = True in
- nova.conf but did not helped. Also I tried to add it to keystone.conf
+ nova.conf but it did not helped. Also I tried to add it to keystone.conf
  where I was not even able to perform any operation with it in horizon.
  For e.g if i would have click on launch instance horizon was logging me
  out.
  
  I have attached nova policy file for reference.
  
  Is there any specific policy configuration needed or some changes in the
  code of nova and  keystone ?

** Description changed:

  Openstack Release: Zed (openstack deployed using openstack-helm)
  OS: Ubuntu 22.04.2 LTS (Jammy)
  
  Reader role in openstack can perform all the operations similar to
  member role. It looks like it has similar permissions as member role.
  
  I tried to assign reader role to one of the newly created user and
  assign it to some project where some other member role user was also a
  part of it. I created Instance using member role and tried to delete it
  using reader role user which I managed to delete it. This is not only
  for instances reader role can also modify other openstack resources as
  well such as networks, volumes...etc
  
  Reader role should only have limited access just to monitor the
  resources. It should not modify them.
  
  I have also tried to add  [oslo_policy] enforce_new_defaults = True in
  nova.conf but it did not helped. Also I tried to add it to keystone.conf
  where I was not even able to perform any operation with it in horizon.
  For e.g if i would have click on launch instance horizon was logging me
- out.
+ out. I also realize that I was getting "You are not authorized to
+ perform this operation" Error. In this case I was logged in as an admin.
  
  I have attached nova policy file for reference.
  
  Is there any specific policy configuration needed or some changes in the
  code of nova and  keystone ?

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2072639

Title:
  User with reader role can perform similar operation as other roles

Status in OpenStack Identity (keystone):
  New

Bug description:
  Openstack Release: Zed (openstack deployed using openstack-helm)
  OS: Ubuntu 22.04.2 LTS (Jammy)

  Reader role in openstack can perform all the operations similar to
  member role. It looks like it has similar permissions as member role.

  I tried to assign reader role to one of the newly created user and
  assign it to some project where some other member role user was also a
  part of it. I created Instance using member role and tried to delete
  it using reader role user which I managed to delete it. This is not
  only for instances reader role can also modify other openstack
  resources as well such as networks, volumes...etc

  Reader role should only have limited access just to monitor the
  resources. It should not modify them.

  I have also tried to add  [oslo_policy] enforce_new_defaults = True in
  nova.conf but it did not helped. Also I tried to add it to
  keystone.conf where I was not even able to perform any operation with
  it in horizon. For e.g if i would have click on launch instance
  horizon was logging me out. I also realize that I was getting "You are
  not authorized to perform this operation" Error. In this case I was
  logged in as an admin.

  I have attached nova policy file for reference.

  Is there any specific policy configuration needed or some changes in
  the code of nova and  keystone ?

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2072639/+subscriptions