Cinder Quota RBAC does not consider project_id passed
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Cinder |
New
|
Undecided
|
Unassigned | ||
Bug Description
The problem reported below is not limited to just cinder quotas. I checked and see this in other apis as well like quota classes and lots of others. The problem listed down is specific to quotas because I ran into this problem when I tried this rest api:
As we know the policy.json file defines the RBAC for a rest api. I updated my policy json rules for quotas as seen below with an intent that the admin user of a particular project is not able to update or access information w.r.t. quotas of other project . But the below project segregation rules do not work.
"volume_
"volume_
"volume_
These do not work because in the api level code, the same project id is passed for target and credentials.
https:/
This happens because there's no target information passed at the time of rule enforcement in which case the code uses the context project id as the target :
https:/
| Changed in cinder: | |
| assignee: | nobody → Divya K Konoor (dikonoor) |
| Sean McGinnis (sean-mcginnis) wrote Bug Assignee Expired | #1 |
| Changed in cinder: | |
| assignee: | Divya K Konoor (dikonoor) → nobody |
| Matthew Edmonds (edmondsw) wrote | #2 |
Unassigning due to no activity for > 6 months.