os-flavor-access API policy should be admin only
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Medium
|
Ghanshyam Mann |
Bug Description
os-flavor-access API policy is default to admin_or_owner[1] but API is allowed for everyone.
This is because API does not pass the server project_id in policy target
- https:/
and if no target is passed then, policy.py add the default targets which is nothing but context.project_id (allow for everyone try to access)
- https:/
I do not think there is owner things for flavor as multiple tenant can be added to access the flavor. I think we should default this policy to admin only and admin only should be able to list all the tenants who has access to specific flavor.
Changed in nova: | |
assignee: | nobody → Ghanshyam Mann (ghanshyammann) |
tags: | added: policy |
Changed in nova: | |
status: | New → In Progress |
Changed in nova: | |
importance: | Undecided → Critical |
importance: | Critical → Medium |
If we want to make it owner basis then we need to add some magic of multi-owner verification on nova side. This can be done by checking the context.can() in the loop for every tenant has access to that flavor.
But again quesiton is tenantA will be able to know all tenant info have access to that flavor.