Cinder

no policy enforment for GET /os-hosts

Bug #1732808 reported by Ghanshyam Mann
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cinder
Fix Released
Medium
Brin Zhang

Bug Description

Cinder does not do policy enforcement for GET /os-hosts [0], where policy doc says opposite[1].

PUT /os-host has policy control which is default to admin only. is there any rational not to have policy control over GET /os-host ? if so we should fix the doc at least.

This is found during this - https://review.openstack.org/#/c/519609/1

[0] https://github.com/openstack/cinder/blob/0cf910d4345c000e8c306b1cb2b2dd291975cf71/cinder/api/contrib/hosts.py#L135-L190

[1]
 https://github.com/openstack/cinder/blob/10a3f4e1c6f21effc79fd309628111c221543e0d/cinder/policies
/hosts.py

Revision history for this message
Jay Bryant (jsbryant) wrote :

Generally we do not allow non-administrative users to do anything that gives insight to the underlying hosts/backends/etc. So, I think the documentation is right in this case.

Changed in cinder:
status: New → Triaged
importance: Undecided → Medium
tags: added: bugsmash low-hanging-fruit
Revision history for this message
TommyLike (hu-husheng) wrote :

Agree. We need to update the code.

Brin Zhang (zhangbailin)
Changed in cinder:
assignee: nobody → zhangbailin (zhangbailin)
OpenStack Infra (hudson-openstack)
Changed in cinder:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (master)

Reviewed: https://review.openstack.org/522110
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=f39c3fac2cf4e436a2c5de4f6bfcae1c879f3e43
Submitter: Zuul
Branch: master

commit f39c3fac2cf4e436a2c5de4f6bfcae1c879f3e43
Author: zhangbailin <email address hidden>
Date: Wed Nov 22 12:23:00 2017 +0800

    Update access control of show under hostAPI

    Update the detection mechanism of show interface under the host API.
    Replacement detection mode, and add policy for host show API.

    Change-Id: I76ca1251cd14da6c777bd48a28906d8362d836b0
    Closes-Bug: #1732808

Changed in cinder:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/cinder 12.0.0.0b2

This issue was fixed in the openstack/cinder 12.0.0.0b2 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.