OpenStack Compute (nova)

GET limits API policy is allowed for everyone but policy defaults is admin_or_owner

Bug #1869543 reported by Ghanshyam Mann on 2020-03-29

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	Undecided	Ghanshyam Mann

Bug Description

limits API policy is allowed for everyone but policy is default to admin_or_owner[1].

This is because API does not pass the project_id in policy target so that oslo policy can decide the ownership.
https://github.com/openstack/nova/blob/403fc671a6877889d6fb70360e002d9b22b98fc9/nova/api/openstack/compute/limits.py#L77

and if no target is passed then, policy.py add the default targets which is nothing but context.project_id (allow for everyone try to access)
- https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191

There is no owner things in limits and every projects can get its own limits. We need to make default to RULE_ANY which means allowed to everyone.

[1]
- https://github.com/openstack/nova/blob/403fc671a6877889d6fb70360e002d9b22b98fc9/nova/policies/limits.py#L27

Tags:

Ghanshyam Mann (ghanshyammann) on 2020-03-29

tags:

added: policy

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-03-29: Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.opendev.org/715672

Changed in nova:
assignee:	nobody → Ghanshyam Mann (ghanshyammann)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-04-01: Fix merged to nova (master)

Reviewed: https://review.opendev.org/715672
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=4d37ffc111ae8bb43bd33fe995bc3686b065131b
Submitter: Zuul
Branch: master

commit 4d37ffc111ae8bb43bd33fe995bc3686b065131b
Author: Ghanshyam Mann <email address hidden>
Date: Sat Mar 28 21:35:59 2020 -0500

Correct limits policy check_str

limits API policy is default to admin_or_owner[1]
but API is allowed (which is expected) for everyone.

    This is because API does not pass the project_id in policy
    target so that oslo policy can decide the ownership[2]. If no
    target is passed then, policy.py add the default targets which
    is nothing but context.project_id (allow for everyone try to access)
    - https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191

    There is no owner things in limits and every projects can get
    its own limits. We need to make default to RULE_ANY which means
    allowed to everyone.

[1] https://github.com/openstack/nova/blob/403fc671a6877889d6fb70360e002d9b22b98fc9/nova/policies/limits.py#L27
Closes-bug: #1869543

Change-Id: I80617e57a6e062e6038e1b3447e116a5f9e23d24

Changed in nova:
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.