OpenStack Compute (nova)

miss moving unlock_override policy enforcement into V2.1 REST API layer

Bug #1429126 reported by lvmxh
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Low
lvmxh
OpenStack Compute (nova) 12.0.0 "liberty"
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned

Bug Description

Commit 01be083 misses unlock_override policy check in V2.1 REST API layer.

The V2.1 REST API can always call this policy check, for this is no skip_policy_check coniditon in underlying layer.

  But for V2.1 API, we should not check any policy in underlying layer.
  This is the principle of V2.1 API policy. https://blueprints.launchpad.net/openstack/?searchtext=v3-api-policy
  https://review.openstack.org/#/c/147782/ has cleaned it. But it miss this one.

See original description
lvmxh (shaohef)
Changed in nova:
assignee: nobody → lvmxh (shaohef)
Tristan Cacqueray (tristan-cacqueray)
Changed in ossa:
status: New → Incomplete
Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

If 01be083 is only in master (e.g., not released nor backported), then there is no need to keep this bug under private security setting as it should be fixed before any release.

Adding nova-coresec to confirm the Nova bug.

Revision history for this message
Andrew Laski (alaski) wrote :

I do not see a security risk here. The code in question was merged in February (https://review.openstack.org/#/c/147782/) and is not in a release.

Furthermore the unlock_override check will continue to run as it is not affected by the skip_check flag that is used to bypass the checks initiated by the wrap_check_policy decorator.

Revision history for this message
lvmxh (shaohef) wrote :

sorry, The V2.1 REST API can always call this policy check, for this is no skip_policy_check coniditon in underlying layer.

  But for V2.1 API, we should not check any policy in underlying layer.
  This is the principle of V2.1 API policy. https://blueprints.launchpad.net/openstack/?searchtext=v3-api-policy
  https://review.openstack.org/#/c/147782/ has cleaned it. But it miss this one.

  This patch fix it. https://review.openstack.org/#/c/162168/

lvmxh (shaohef)
description: updated
information type: Private Security → Private
information type: Private → Public
Davanum Srinivas (DIMS) (dims-v)
Changed in nova:
status: New → Confirmed
importance: Undecided → Low
Revision history for this message
Jeremy Stanley (fungi) wrote :

I've switched the security advisory task to "won't fix" since this shouldn't need an advisory published (class Y bug per https://wiki.openstack.org/wiki/Vulnerability_Management#Incident_report_taxonomy ).

Changed in ossa:
status: Incomplete → Won't Fix
OpenStack Infra (hudson-openstack)
Changed in nova:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/162168
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=161dc0d954f5426564d36c596a54116e72806533
Submitter: Jenkins
Branch: master

commit 161dc0d954f5426564d36c596a54116e72806533
Author: ShaoHe Feng <email address hidden>
Date: Sat Mar 7 04:50:41 2015 +0800

    Move unlock_override policy enforcement into V2.1 REST API layer

    Commit 01be083 misses unlock_override policy check in V2.1 REST API layer.

    This patch fixes this bug and adds related unittest.

    Partially implements bp nova-api-policy-final-part
    Closes-Bug: 1429126

    Change-Id: Ie5481267d0631fae7f413e63ae6c38656d3ca933

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in nova:
milestone: none → liberty-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: liberty-1 → 12.0.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.