There is no policy controlling the "complete attachment" API action
Bug #1737000 reported by
Matt Riedemann
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
Fix Released
|
Low
|
Aseel Awwad |
Bug Description
There is no policy rule restricting the "os-complete" action to a volume attachment:
https:/
https:/
This means anyone that can read the attachment from the database can also complete it.
You could likely re-use the same policy rules as the attachment update action, or add a new one for granularity. This is low severity but probably good to have for completeness.
Changed in cinder: | |
assignee: | nobody → Aseel Awwad (aseelawwad) |
To post a comment you must log in.
Fix proposed to branch: master /review. openstack. org/536119
Review: https:/