OpenStack Compute (nova)

os-server-groups policy doesn't separate CRUD actions

Bug #1632820 reported by Matthew Edmonds on 2016-10-12

This bug report is a duplicate of: Bug #1636157: os-server-groups uses same policy.json rule for all CRUD operations. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Opinion	Wishlist	Unassigned

Bug Description

nova.api.openstack.compute.server_groups.ServerGroupController uses the same policy check (os_compute_api:os-server-groups) for show, delete, index, and create, instead of separating these into separate checks (e.g. os_compute_api:os-server-groups:delete). This makes it impossible to customize policy such that some roles are allowed to do some but not all of these operations, E.g. show/index server groups but not create/delete them.

Found with Newton.

Matt Riedemann (mriedem) on 2016-12-07

Changed in nova:
status:	New → Confirmed
importance:	Undecided → Wishlist

Revision history for this message

Liyingjun (liyingjun) wrote on 2016-12-16:

Seems it already done, part of generated policy file:
"os_compute_api:os-server-groups:discoverable": "@"
#
"os_compute_api:os-server-groups": "rule:admin_or_owner"
#
"os_compute_api:os-server-groups:create": "rule:os_compute_api:os-server-groups"
#
"os_compute_api:os-server-groups:delete": "rule:os_compute_api:os-server-groups"
#
"os_compute_api:os-server-groups:index": "rule:os_compute_api:os-server-groups"
#
"os_compute_api:os-server-groups:show": "rule:os_compute_api:os-server-groups"

Changed in nova:
status:	Confirmed → Opinion

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1636157 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.