create/delete flavor permissions should be controlled by policy.json
Bug #1445335 reported by
Divya K Konoor
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
High
|
Divya K Konoor | ||
Kilo |
Fix Released
|
High
|
Unassigned | ||
OpenStack Security Advisory |
Invalid
|
Undecided
|
Unassigned |
Bug Description
The create/delete flavor rest api always expects the user to be of admin privileges and ignores the rule defined in the nova/policy.json. This behavior is observed after these changes >> https:/
The expected behavior is that the permissions are controlled as per the rule defined in the policy file and should not mandate that only an admin should be able to create/delete a flavor
Changed in nova: | |
status: | New → Confirmed |
Changed in nova: | |
assignee: | nobody → Divya K Konoor (dikonoor) |
Changed in nova: | |
importance: | High → Critical |
information type: | Public → Public Security |
tags: | added: api |
tags: | removed: kilo-rc-potential |
Changed in nova: | |
milestone: | none → liberty-1 |
status: | Fix Committed → Fix Released |
Changed in nova: | |
milestone: | liberty-1 → 12.0.0 |
To post a comment you must log in.
This is the regression, the original patch assume the user request's context is pass down to the db call. But actually it is not, the code always pass fake admin context.
So should fix it to keep the v2 API behavor as before. And it should be backport to Kilo