There is no policy controlling the "complete attachment" API action
Bug #1737000 reported by
Matt Riedemann
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Cinder |
Fix Released
|
Low
|
Aseel Awwad | ||
Bug Description
There is no policy rule restricting the "os-complete" action to a volume attachment:
https:/
https:/
This means anyone that can read the attachment from the database can also complete it.
You could likely re-use the same policy rules as the attachment update action, or add a new one for granularity. This is low severity but probably good to have for completeness.
| Changed in cinder: | |
| assignee: | nobody → Aseel Awwad (aseelawwad) |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix proposed to cinder (master) | #1 |
| Changed in cinder: | |
| status: | Triaged → In Progress |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix merged to cinder (master) | #2 |
| Changed in cinder: | |
| status: | In Progress → Fix Released |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix included in openstack/cinder 12.0.0.0b3 | #3 |
To post a comment you must log in.
Fix proposed to branch: master
Review: https:/