Non-admin user can perform 'extra-specs-list'
Bug #1475285 reported by
Julia Varlamova
This bug affects 3 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
Fix Released
|
High
|
John Griffith | ||
OpenStack Shared File Systems Service (Manila) |
Fix Released
|
High
|
Clinton Knight |
Bug Description
In etc/manila/
But non-admin user can perform 'manila extra-specs-list' command. So, policy.json isn't used when we query for extra-specs list.
summary: |
- Non-admin user can perform 'manila extra-specs-list' + Non-admin user can perform 'extra-specs-list' |
description: | updated |
Changed in manila: | |
status: | New → Confirmed |
Changed in manila: | |
assignee: | nobody → Chang-Yi Lee (cy-lee) |
Changed in cinder: | |
status: | New → Invalid |
tags: | added: api policy |
Changed in cinder: | |
assignee: | nobody → jelly (coding1314) |
Changed in manila: | |
importance: | Undecided → High |
Changed in manila: | |
milestone: | none → liberty-3 |
Changed in manila: | |
assignee: | Chang-Yi Lee (cy-lee) → jelly (coding1314) |
Changed in manila: | |
assignee: | jelly (coding1314) → nobody |
Changed in cinder: | |
assignee: | jelly (coding1314) → nobody |
Changed in manila: | |
assignee: | nobody → Clinton Knight (clintonk) |
Changed in manila: | |
status: | Confirmed → In Progress |
Changed in manila: | |
milestone: | liberty-3 → liberty-rc1 |
Changed in cinder: | |
milestone: | none → liberty-3 |
status: | Fix Committed → Fix Released |
Changed in manila: | |
assignee: | Andrew Kerr (andrew-kerr) → Clinton Knight (clintonk) |
Changed in manila: | |
status: | Fix Committed → Fix Released |
Changed in cinder: | |
milestone: | liberty-3 → 7.0.0 |
Changed in manila: | |
milestone: | liberty-rc1 → 1.0.0 |
To post a comment you must log in.
John Griffith,
I have reproduced it with "master" branch of Cinder on my lab.
In "/etc/cinder/ policy. json" I have a rule:
"volume_ extension: types_extra_ specs": "rule:admin_api",
Enabling user creds in CLI command "cinder extra-specs-list" returns 200 Ok.
Here is debug, I set "user_id" to "fake" value and it still works:
"""
> /usr/local/ lib/python2. 7/dist- packages/ oslo_policy/ policy. py(501) enforce( ) rule](target, creds, self) 17T09:07: 36.375081' , 'auth_token': '34ec89889d0f49 6db0ac56568774c 2ac', 'remote_address': '172.18.198.52', 'quota_class': None, 'resource_uuid': None, 'is_admin': False, 'user': u'05aa9930de444 c91a937b312ae12 49bf', 'service_catalog': [{u'endpoints': [{u'adminURL': u'http:// 172.18. 198.52: 35357/v2. 0', u'region': u'RegionOne', u'internalURL': u'http:// 172.18. 198.52: 5000/v2. 0', u'publicURL': u'http:// 172.18. 198.52: 5000/v2. 0'}], u'type': u'identity', u'name': u'keystone'}, {u'endpoints': [{u'adminURL': u'http:// 172.18. 198.52: 8774/v2/ c63ce66c72124c4 1abb9e6e9fc75e7 6a', u'region': u'RegionOne', u'internalURL': u'http:// 172.18. 198.52: 8774/v2/ c63ce66c72124c4 1abb9e6e9fc75e7 6a', u'publicURL': u'http:// 172.18. 198.52: 8774/v2/ c63ce66c72124c4 1abb9e6e9fc75e7 6a'}], u'type': u'compute', u'name': u'nova'}], 'tenant': u'c63ce66c72124 c41abb9e6e9fc75 e76a', 'read_only': False, 'project_id': u'c63ce66c72124 c41abb9e6e9fc75 e76a', 'user_id': u'05aa9930de444 c91a937b312ae12 49bf', 'show_deleted': False, 'roles': [u'Member', u'anotherrole'], 'user_identity': '05aa9930de444c 91a937b312ae124 9bf c63ce66c72124c4 1abb9e6e9fc75e7 6a - - -', 'read_deleted': 'no', 'request_id': 'req-03d03509- 771a-45d2- 989e-b63fbc9a45 bf', 'user_domain': None} c41abb9e6e9fc75 e76a', 'user_id': u'05aa9930de444 c91a937b312ae12 49bf'} extension: volume_ type_access' c41abb9e6e9fc75 e76a', 'user_id': u'05aa9930de444 c91a937b312ae12 49bf'} 91a8064de84dc0e ecb" rule](target, creds, self) rule](target, creds, self) rules[" volume_ extension: types_extra_ specs"] )
-> if do_raise and not result:
(Pdb) result
True
(Pdb) do_raise
True
(Pdb) self.rules[
True
(Pdb) creds
{'domain': None, 'project_name': u'demo', 'project_domain': None, 'timestamp': '2015-07-
(Pdb) target
{'project_id': u'c63ce66c72124
(Pdb) rule
'volume_
(Pdb) target
{'project_id': u'c63ce66c72124
(Pdb) target["user_id"] = "5791f97019d042
(Pdb) self.rules[
True
(Pdb) target["user_id"] = "fake"
(Pdb) self.rules[
True
(Pdb) str(self.
'rule:admin_api'
"""
But policy works ok for another rule "volume_ extension: types_manage" where I get expected 403 code.
So, I set here confirmed until it is proven that bug does not exist.