Cinder

[rbac] Reader user able to create and delete group snapshot

Bug #2037970 reported by Yosi Ben Shimon on 2023-10-02

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Cinder	New	Undecided	Unassigned

Bug Description

A user with reader role can create and delete group snapshot.
These requests should be forbidden for reader.

From the tempest logs:

***** create group snapshot:
2023-10-01 15:03:14,134 92819 INFO [tempest.lib.common.rest_client] Request (ProjectReaderTests:test_create_group_snapshot): 202 POST https://10.209.35.34/volume/v3/6205b6edf2c5400484a510cf0c559100/group_snapshots 0.378s
2023-10-01 15:03:14,135 92819 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'Openstack-Api-Version': 'volume 3.19', 'X-Auth-Token': '<omitted>'}
        Body: {"group_snapshot": {"group_id": "cf2b5558-dde1-4727-9aad-cc622092d395", "name": "tempest-ProjectReaderTests-Group_Snapshot-1594032646"}}
    Response - Headers: {'date': 'Sun, 01 Oct 2023 15:03:13 GMT', 'server': 'Apache/2.4.52 (Ubuntu)', 'content-type': 'application/json', 'x-compute-request-id': 'req-4e4393c2-13b5-425f-bdce-a8bde471e532', 'content-length': '187', 'openstack-api-version': 'volume 3.19', 'vary': 'OpenStack-API-Version', 'x-openstack-request-id': 'req-4e4393c2-13b5-425f-bdce-a8bde471e532', 'connection': 'close', 'status': '202', 'content-location': 'https://10.209.35.34/volume/v3/6205b6edf2c5400484a510cf0c559100/group_snapshots'}
        Body: b'{"group_snapshot": {"id": "82d784bf-8a69-4d94-88b8-b7c5f8c6dd51", "name": "tempest-ProjectReaderTests-Group_Snapshot-1594032646", "group_type_id": "a76bef25-0603-4046-b772-1750f72a0bba"}}'
}}}

***** delete group snapshot:
2023-10-01 15:03:21,069 92819 INFO [tempest.lib.common.rest_client] Request (ProjectReaderTests:test_delete_group_snapshot): 202 DELETE https://10.209.35.34/volume/v3/6205b6edf2c5400484a510cf0c559100/group_snapshots/5d3af872-86bd-4d52-8cdc-dd78a5ce6f6b 0.140s
2023-10-01 15:03:21,069 92819 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'Openstack-Api-Version': 'volume 3.19', 'X-Auth-Token': '<omitted>'}
        Body: None
    Response - Headers: {'date': 'Sun, 01 Oct 2023 15:03:20 GMT', 'server': 'Apache/2.4.52 (Ubuntu)', 'content-length': '0', 'content-type': 'text/html; charset=UTF-8', 'openstack-api-version': 'volume 3.19', 'vary': 'OpenStack-API-Version', 'x-openstack-request-id': 'req-4d065c67-4223-4783-99fd-6ad9a4e6396d', 'connection': 'close', 'status': '202', 'content-location': 'https://10.209.35.34/volume/v3/6205b6edf2c5400484a510cf0c559100/group_snapshots/5d3af872-86bd-4d52-8cdc-dd78a5ce6f6b'}
        Body: b''
}}}

Additional info:
Failing job:
https://zuul.opendev.org/t/openstack/build/11df3f9f84384514b91678ba58972000

From cinder.conf:
[oslo_policy]
enforce_new_defaults = True

Tags:

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.