Cinder

[rbac] Reader and member users can list and show group-type

Bug #2038805 reported by Yosi Ben Shimon on 2023-10-09

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Cinder	New	Undecided	Brian Rosmaita

Bug Description

[rbac] Reader and member users can list and show group-type.
These requests should be forbidden for reader and member accroding to the policies:
https://docs.openstack.org/cinder/xena/configuration/block-storage/policy-personas.html#id12

From the tempest logs:

***** list group types (reader):
2023-09-27 19:22:29,732 92062 INFO [tempest.lib.common.rest_client] Request (ProjectReaderTests:test_list_group_types): 200 GET https://173.231.255.252/volume/v3/9c6ec91e1daa42af9495724315718fd1/group_types 0.041s
2023-09-27 19:22:29,732 92062 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'Openstack-Api-Version': 'volume 3.11', 'X-Auth-Token': '<omitted>'}
        Body: None
    Response - Headers: {'date': 'Wed, 27 Sep 2023 19:22:29 GMT', 'server': 'Apache/2.4.52 (Ubuntu)', 'content-type': 'application/json', 'x-compute-request-id': 'req-a38f76b0-61e5-4efd-82ab-9a9a79e6d6a7', 'content-length': '351', 'openstack-api-version': 'volume 3.11', 'vary': 'OpenStack-API-Version', 'x-openstack-request-id': 'req-a38f76b0-61e5-4efd-82ab-9a9a79e6d6a7', 'connection': 'close', 'status': '200', 'content-location': 'https://173.231.255.252/volume/v3/9c6ec91e1daa42af9495724315718fd1/group_types'}
        Body: b'{"group_types": [{"id": "da66e6ab-c035-44bc-a45c-fae9e0654256", "name": "tempest-type-group-type-33640433", "description": "tempest-group-type-description-992715506", "is_public": true}, {"id": "a39e20ba-cbed-4277-9ad2-fcf18fabe964", "name": "default_cgsnapshot_type", "description": "Default group type for migrating cgsnapshot", "is_public": true}]}'
}}}

***** show group type (reader):
2023-09-27 19:22:29,814 92062 INFO [tempest.lib.common.rest_client] Request (ProjectReaderTests:test_show_group_type): 200 GET https://173.231.255.252/volume/v3/9c6ec91e1daa42af9495724315718fd1/group_types/da66e6ab-c035-44bc-a45c-fae9e0654256 0.048s
2023-09-27 19:22:29,814 92062 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'Openstack-Api-Version': 'volume 3.11', 'X-Auth-Token': '<omitted>'}
        Body: None
    Response - Headers: {'date': 'Wed, 27 Sep 2023 19:22:29 GMT', 'server': 'Apache/2.4.52 (Ubuntu)', 'content-type': 'application/json', 'x-compute-request-id': 'req-febb358b-2b1d-4afa-8033-eca91bd5fc87', 'content-length': '184', 'openstack-api-version': 'volume 3.11', 'vary': 'OpenStack-API-Version', 'x-openstack-request-id': 'req-febb358b-2b1d-4afa-8033-eca91bd5fc87', 'connection': 'close', 'status': '200', 'content-location': 'https://173.231.255.252/volume/v3/9c6ec91e1daa42af9495724315718fd1/group_types/da66e6ab-c035-44bc-a45c-fae9e0654256'}
        Body: b'{"group_type": {"id": "da66e6ab-c035-44bc-a45c-fae9e0654256", "name": "tempest-type-group-type-33640433", "description": "tempest-group-type-description-992715506", "is_public": true}}'
}}}

*** Same results for member role.

Failed job:
https://zuul.opendev.org/t/openstack/build/46b7662c5f9248f7a625a000d90faf41

Tags:

Jon Bernard (jbernard) on 2023-10-11

Changed in cinder:
assignee:	nobody → Brian Rosmaita (brian-rosmaita)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.