OpenStack Compute (nova)

os-deferred-delete restore server API policy is allowed for everyone even policy defaults is admin_or_owner

Bug #1863009 reported by Ghanshyam Mann on 2020-02-12

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	Undecided	John Garbutt

Bug Description

os-deferred-delete restore server API policy is default to admin_or_owner[1] but API is allowed for everyone.

We can see the test trying with other project context can access the API
- https://review.opendev.org/#/c/707455/

This is because API does not pass the server project_id in policy target
- https://github.com/openstack/nova/blob/1fcd74730d343b7cee12a0a50ea537dc4ff87f65/nova/api/openstack/compute/deferred_delete.py#L38

and if no target is passed then, policy.py add the default targets which is nothing but context.project_id (allow for everyone try to access)
- https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191

[1]
- https://github.com/openstack/nova/blob/1fcd74730d343b7cee12a0a50ea537dc4ff87f65/nova/policies/deferred_delete.py#L27

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-02-12: Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.opendev.org/707457

Changed in nova:
assignee:	nobody → Ghanshyam Mann (ghanshyammann)
status:	New → In Progress

Ghanshyam Mann (ghanshyammann) on 2020-02-12

tags:	added: api-policy
tags:	added: policy-defaults-refresh removed: api-policy

OpenStack Infra (hudson-openstack) on 2020-03-04

Changed in nova:
assignee:	Ghanshyam Mann (ghanshyammann) → John Garbutt (johngarbutt)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-03-04: Fix merged to nova (master)

Reviewed: https://review.opendev.org/707457
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=f83c591e30e5283af3bd6b05b7bd041c83d5c20f
Submitter: Zuul
Branch: master

commit f83c591e30e5283af3bd6b05b7bd041c83d5c20f
Author: Ghanshyam Mann <email address hidden>
Date: Wed Feb 12 13:28:40 2020 -0600

Fix os-os-deferred-delete policy to be admin_or_owner

os-deferred-delete restore server API policy is default to admin_or_owner[1] but API
is allowed for everyone.

We can see the test trying with other project context can access the API
- https://review.opendev.org/#/c/707455/

    This is because API does not pass the server project_id in policy target[2]
    and if no target is passed then, policy.py add the default targets which is
    nothing but context.project_id (allow for everyone who try to access)[3]

This commit fix this policy by passing the server's project_id in policy
target.

Closes-bug: #1863009

    [1] https://github.com/openstack/nova/blob/1fcd74730d343b7cee12a0a50ea537dc4ff87f65/nova/policies/deferred_delete.py#L27
    [2] https://github.com/openstack/nova/blob/1fcd74730d343b7cee12a0a50ea537dc4ff87f65/nova/api/openstack/compute/deferred_delete.py#L38
    [3] https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191

Change-Id: Ib05501b678d0b58bbd9e77cd5d79a9b6ef661497

Changed in nova:
status:	In Progress → Fix Released

Ghanshyam Mann (ghanshyammann) on 2020-03-27

tags:

added: policy
removed: policy-defaults-refresh

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.