Implement policy check for object ownership
Bug #1187104 reported by
Scott Devoid
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Invalid
|
Wishlist
|
Unassigned |
Bug Description
As far as I can tell, there is no policy check for resource ownership.
The current policy checks support: all, none, role-membership, and tenant-membership. This means that the most minimal policy for an action, e.g. "compute:delete" is "role:Name and tenant_
This role would allows any member of a project to delete any instance, which is a problem!
We need something like:
"owns:%
Changed in nova: | |
importance: | Undecided → Wishlist |
status: | New → Invalid |
Changed in nova: | |
status: | Invalid → New |
status: | New → Invalid |
To post a comment you must log in.
You are correct that there is no 'owns' check, but the policy engine does support checking against arbitrary fields in a 'target'. In a lot(most?) of those checks that occur in the compute/api.py layer, vs the wsgi layer, the target is an instance dict so something like user_id:%(user_id)s would work. Now, that's not universally true so there may be specific checks that could use a more robust target to check against, and I would suggest opening bugs for specific checks in that case. So I marked this as invalid because I think it's a bit general and is somewhat supported. But please open reports for specific policy checks that are too limiting.
If you're interested in expanding the policy engine capabilities to support an owns resource that would fall under a blueprint rather than a bug report.