Cinder

non-admin user accesses "limits" api failed with 403 if "default" policy rule changed

Bug #1497868 reported by Gao Zexu
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cinder
Fix Released
Undecided
Gao Zexu

Bug Description

If "default" rule in cinder policy is changed to "rule:admin_api" or other style that does not contain '["project_id:%(project_id)s"]', non-admin user accesses the limits api will be failed with 403 error.

The rule "limits_extension:used_limits" is used by "UsedLimitsController" which is a controller extension and it extends "limits" api. Most of controller extensions authorize user's
context by applying the function "extensions.soft_extension_authorizer()", but "UsedLimitsController" applies "extensions.extension_authorizer" and this causes 403 Forbidden error.

I think it's a bug, because "UsedLimitsController" is intend to collect infos for authorized user rather than forbid unauthorized user to access "limits" api.

Gao Zexu (gaozx-fnst)
Changed in cinder:
assignee: nobody → Gao Zexu (gaozx-fnst)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (master)

Fix proposed to branch: master
Review: https://review.openstack.org/226149

Changed in cinder:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (master)

Reviewed: https://review.openstack.org/226149
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=4bdeb045e491a86aeb8a1487798e598a2fa56e2f
Submitter: Jenkins
Branch: master

commit 4bdeb045e491a86aeb8a1487798e598a2fa56e2f
Author: Gaozexu <email address hidden>
Date: Tue Sep 22 11:35:37 2015 +0800

    Fix UsedLimitsController's authorizer to soft

    The rule "limits_extension:used_limits" is used by
    "UsedLimitsController" which is a controller extension and it extends
    "limits" api. Most of controller extensions authorize user's context
    by applying the function "extensions.soft_extension_authorizer()",
    but "UsedLimitsController" applies "extensions.extension_authorizer"
    and this may cause 403 Forbidden error.

    In this patch, I changed UsedLimitsController's authorizer to
    "soft_extension_authorizer".

    APIImpact

    Co-Authored-By: ZhuChunzhan <email address hidden>

    Change-Id: I8a4163ca89236b35c2c6ba10bcd98f8c42ef9089
    Closes-Bug: #1497868

Changed in cinder:
status: In Progress → Fix Committed
Revision history for this message
Thierry Carrez (ttx) wrote : Fix included in openstack/cinder 8.0.0.0b1

This issue was fixed in the openstack/cinder 8.0.0.0b1 development milestone.

Thierry Carrez (ttx)
Changed in cinder:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.