miss moving unlock_override policy enforcement into V2.1 REST API layer
Bug #1429126 reported by
lvmxh
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Low
|
lvmxh | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Commit 01be083 misses unlock_override policy check in V2.1 REST API layer.
The V2.1 REST API can always call this policy check, for this is no skip_policy_check coniditon in underlying layer.
But for V2.1 API, we should not check any policy in underlying layer.
This is the principle of V2.1 API policy. https:/
https:/
Changed in nova: | |
assignee: | nobody → lvmxh (shaohef) |
Changed in ossa: | |
status: | New → Incomplete |
description: | updated |
information type: | Private Security → Private |
information type: | Private → Public |
Changed in nova: | |
status: | New → Confirmed |
importance: | Undecided → Low |
Changed in nova: | |
status: | Confirmed → In Progress |
Changed in nova: | |
milestone: | none → liberty-1 |
status: | Fix Committed → Fix Released |
Changed in nova: | |
milestone: | liberty-1 → 12.0.0 |
To post a comment you must log in.
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.
If 01be083 is only in master (e.g., not released nor backported), then there is no need to keep this bug under private security setting as it should be fixed before any release.
Adding nova-coresec to confirm the Nova bug.