Nova ignores reader role conventions in default policies
Bug #1931571 reported by
Florian Faltermeier
This bug affects 3 people
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Compute (nova) |
Expired
|
Undecided
|
Unassigned | ||
Bug Description
In keystone, if I grant someone the reader role on a project the readonly (role reader) user is able to create a new instance within the project.
Openstack Version: wallaby
1. Create a user within a project and add role reader to the user.
2. Login with the readonly user into the project and try to create an instance.
Florian
| description: | updated |
| tags: | added: policy |
Revision history for this message
| melanie witt (melwitt) wrote | #1 |
| Changed in nova: | |
| status: | New → Incomplete |
Revision history for this message
| Launchpad Janitor (janitor) wrote | #2 |
| Changed in nova: | |
| status: | Incomplete → Expired |
To post a comment you must log in.
This sounds like you might not enabled the new policy default roles [1] in nova [2].
In nova, the new policy default roles need to be enabled in order to use them [3], for example:
[oslo_policy]
enforce_
Can you confirm whether you have enabled this config?
I'm marking this bug as Incomplete for now and if you can respond with more information, you can set this bug back to New in order to alert us to your response.
[1] https:/
[2] https:/
[3] https:/