Policy group:reset_group_snapshot_status has incorrect checkstring

Bug #1908315 reported by Brian Rosmaita
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cinder
Fix Released
High
Brian Rosmaita
Queens
Fix Released
High
Brian Rosmaita
Rocky
Fix Committed
High
Brian Rosmaita
Stein
Fix Committed
High
Brian Rosmaita
Train
Fix Released
High
Brian Rosmaita
Ussuri
Fix Released
High
Brian Rosmaita
Victoria
Fix Released
High
Brian Rosmaita
Wallaby
Fix Released
High
Brian Rosmaita

Bug Description

The current checkstring for group:reset_group_snapshot_status is RULE_ADMIN_OR_OWNER [0]. This was set by change If95a8aaa70614902a06420d1afa487827f8a3f03, which was part of the policy-in-code initiative in Queens [1]. The original value, however, was "rule:admin_api" [2]. There's no discussion of the change on the review [3], and at the Wallaby R-18 mid-cycle meeting, we decided that it was a mistake that needs to be corrected [4], because exposing this capability to end users can be dangerous.

[0] https://opendev.org/openstack/cinder/src/commit/108c554dc3a853b053fbc1360f27ef13a0dc8335/cinder/policies/group_snapshot_actions.py#L27
[1] https://review.opendev.org/c/openstack/cinder/+/507812/6/cinder/policies/group_snapshot_actions.py#27
[2] https://review.opendev.org/c/openstack/cinder/+/507812/6/etc/cinder/policy.json#b108
[3] https://review.opendev.org/c/openstack/cinder/+/507812
[4] https://wiki.openstack.org/wiki/CinderWallabyMidCycleSummary#consistent_and_secure_policies

Tags: policies
Revision history for this message
Brian Rosmaita (brian-rosmaita) wrote :

This will need to be backported to stable/queens.

Revision history for this message
Brian Rosmaita (brian-rosmaita) wrote :
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/cinder 18.0.0.0b1

This issue was fixed in the openstack/cinder 18.0.0.0b1 development milestone.

Revision history for this message
Lance Bragstad (lbragstad) wrote :

Should this be closed now?

Revision history for this message
Brian Rosmaita (brian-rosmaita) wrote :

@Lance: thanks for poking this. I need to check the status of the backports.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/cinder 17.1.0

This issue was fixed in the openstack/cinder 17.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/cinder 16.3.0

This issue was fixed in the openstack/cinder 16.3.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/cinder 15.5.0

This issue was fixed in the openstack/cinder 15.5.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (stable/stein)

Reviewed: https://review.opendev.org/c/openstack/cinder/+/782125
Committed: https://opendev.org/openstack/cinder/commit/83b4c1144c4c3dda7fac887fd6bd5ea285cac7ea
Submitter: "Zuul (22348)"
Branch: stable/stein

commit 83b4c1144c4c3dda7fac887fd6bd5ea285cac7ea
Author: Brian Rosmaita <email address hidden>
Date: Tue Dec 15 17:20:22 2020 -0500

    Correct group:reset_group_snapshot_status policy

    The default value for the group:reset_group_snapshot_status policy, which governs the Block Storage API call "Reset group snapshot status"[0], was changed to admin-or-owner during refactoring for the
    policy-in-code initiative in Queens [1]. Consensus at the Wallaby
    R-18 mid-cycle was that this change was a mistake that should be
    corrected [2].

    [0] https://docs.openstack.org/api-ref/block-storage/v3/#reset-group-snapshot-status
    [1] https://review.opendev.org/c/openstack/cinder/+/507812
    [2] https://wiki.openstack.org/wiki/CinderWallabyMidCycleSummary#consistent_and_secure_policies

    Change-Id: I7875d365bb73dd80ecbe30c4801599b6f781cc39
    Closes-bug: #1908315
    (cherry picked from commit 1631742f43a2d1f60cf5ccee26dced1d542f2bf6)
    (cherry picked from commit 1941ecc6d4013ecfdf7e2d37fd87ffaa04d8a38d)
    (cherry picked from commit 6c399a8b0d8e945911cf4408b0d6cb2d3d15bd3a)
    (cherry picked from commit f6d256cf1fdc6d4d98b33cf511efa8cf2e71f2f4)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.opendev.org/c/openstack/cinder/+/809657

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (stable/rocky)

Reviewed: https://review.opendev.org/c/openstack/cinder/+/809657
Committed: https://opendev.org/openstack/cinder/commit/cdcf7b5f8b3c850555942f422b8ad1f43e21fe7b
Submitter: "Zuul (22348)"
Branch: stable/rocky

commit cdcf7b5f8b3c850555942f422b8ad1f43e21fe7b
Author: Brian Rosmaita <email address hidden>
Date: Tue Dec 15 17:20:22 2020 -0500

    Correct group:reset_group_snapshot_status policy

    The default value for the group:reset_group_snapshot_status policy, which governs the Block Storage API call "Reset group snapshot status"[0], was changed to admin-or-owner during refactoring for the
    policy-in-code initiative in Queens [1]. Consensus at the Wallaby
    R-18 mid-cycle was that this change was a mistake that should be
    corrected [2].

    [0] https://docs.openstack.org/api-ref/block-storage/v3/#reset-group-snapshot-status
    [1] https://review.opendev.org/c/openstack/cinder/+/507812
    [2] https://wiki.openstack.org/wiki/CinderWallabyMidCycleSummary#consistent_and_secure_policies

    Change-Id: I7875d365bb73dd80ecbe30c4801599b6f781cc39
    Closes-bug: #1908315
    (cherry picked from commit 1631742f43a2d1f60cf5ccee26dced1d542f2bf6)
    (cherry picked from commit 1941ecc6d4013ecfdf7e2d37fd87ffaa04d8a38d)
    (cherry picked from commit 6c399a8b0d8e945911cf4408b0d6cb2d3d15bd3a)
    (cherry picked from commit f6d256cf1fdc6d4d98b33cf511efa8cf2e71f2f4)
    (cherry picked from commit 83b4c1144c4c3dda7fac887fd6bd5ea285cac7ea)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.opendev.org/c/openstack/cinder/+/815646

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (stable/queens)

Reviewed: https://review.opendev.org/c/openstack/cinder/+/815646
Committed: https://opendev.org/openstack/cinder/commit/8b222bdd1df4c0bcfe46f42a5dfb229424dbb9f9
Submitter: "Zuul (22348)"
Branch: stable/queens

commit 8b222bdd1df4c0bcfe46f42a5dfb229424dbb9f9
Author: Brian Rosmaita <email address hidden>
Date: Tue Dec 15 17:20:22 2020 -0500

    Correct group:reset_group_snapshot_status policy

    The default value for the group:reset_group_snapshot_status policy, which governs the Block Storage API call "Reset group snapshot status"[0], was changed to admin-or-owner during refactoring for the
    policy-in-code initiative in Queens [1]. Consensus at the Wallaby
    R-18 mid-cycle was that this change was a mistake that should be
    corrected [2].

    [0] https://docs.openstack.org/api-ref/block-storage/v3/#reset-group-snapshot-status
    [1] https://review.opendev.org/c/openstack/cinder/+/507812
    [2] https://wiki.openstack.org/wiki/CinderWallabyMidCycleSummary#consistent_and_secure_policies

    Change-Id: I7875d365bb73dd80ecbe30c4801599b6f781cc39
    Closes-bug: #1908315
    (cherry picked from commit 1631742f43a2d1f60cf5ccee26dced1d542f2bf6)
    (cherry picked from commit 1941ecc6d4013ecfdf7e2d37fd87ffaa04d8a38d)
    (cherry picked from commit 6c399a8b0d8e945911cf4408b0d6cb2d3d15bd3a)
    (cherry picked from commit f6d256cf1fdc6d4d98b33cf511efa8cf2e71f2f4)
    (cherry picked from commit 83b4c1144c4c3dda7fac887fd6bd5ea285cac7ea)
    (cherry picked from commit cdcf7b5f8b3c850555942f422b8ad1f43e21fe7b)

Eric Harney (eharney)
Changed in cinder:
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/cinder queens-eol

This issue was fixed in the openstack/cinder queens-eol release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.