authority check for create volume API happens too late
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
Fix Released
|
Undecided
|
Anna Sortland | ||
Juno |
Won't Fix
|
Undecided
|
Unassigned | ||
Kilo |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
create() API in cinder/
flow_engine = create_
which happens after a number of error checks in the api.py itself.
It is better to do authority check right away. Otherwise, we are allowing some operations to proceed that user might not have authority to (e.g. we are disclosing information in error messages).
Jay mentioned that "for some reason it appears that create has never used the decorator function but it used to do a policy check early in the create function: (See line 111) https:/
We should change the code to use decorator for create() so that authority for create volume operation is checked right away.
Changed in cinder: | |
assignee: | nobody → Anna Sortland (annasort) |
Changed in cinder: | |
milestone: | none → liberty-3 |
status: | Fix Committed → Fix Released |
Changed in cinder: | |
milestone: | liberty-3 → 7.0.0 |
no longer affects: | cinder/liberty |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.