Glance

No policy enforcement for several delete metadef APIs

Bug #1782840 reported by Rick Bartra on 2018-07-20

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Glance	Fix Released	Undecided	Rick Bartra

Bug Description

There is no policy enforcement for the following APIs:

Delete namespace: https://developer.openstack.org/api-ref/image/v2/metadefs-index.html#delete-namespace

Delete object: https://developer.openstack.org/api-ref/image/v2/metadefs-index.html#delete-object

Remove resource type association: https://developer.openstack.org/api-ref/image/v2/metadefs-index.html#remove-resource-type-association

Remove property definition: https://developer.openstack.org/api-ref/image/v2/metadefs-index.html#remove-property-definition

Delete tag definition: https://developer.openstack.org/api-ref/image/v2/metadefs-index.html#delete-tag-definition

Most other APIs have policy enforcement, so the ones above should as well. Without adding policy enforcement for the above APIs, even the least privileged users (i.e. user with reader role) can perform the delete APIs noted above.

See original description

Rick Bartra (rb560u) on 2018-07-20

description:

updated

Rick Bartra (rb560u) on 2018-07-20

Changed in glance:
assignee:	nobody → Rick Bartra (rb560u)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-07-20: Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/584530

Changed in glance:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-04-07: Fix merged to glance (master)

Reviewed: https://review.opendev.org/584530
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=d2cc0dc5663657ae80550954269e19a6a8157501
Submitter: Zuul
Branch: master

commit d2cc0dc5663657ae80550954269e19a6a8157501
Author: Rick Bartra <email address hidden>
Date: Fri Jul 20 17:42:09 2018 -0400

Add Policy enforcement for several Metadata Definition delete APIs

Several Metadata Definition delete APIs do not have RBAC. This
patchset add policy enforcment to the following APIs:

        - `Delete namespace`
        - `Delete object`
        - `Remove resource type association`
        - `Remove property definition`
        - `Delete tag definition`
        - `Delete all tag definitions`

The following actions are enforce and added to the policy.json:

        - `delete_metadef_namespace`
        - `delete_metadef_object`
        - `remove_metadef_resource_type_association`
        - `remove_metadef_property`
        - `delete_metadef_tag`
        - `delete_metadef_tags`

    Most other APIs have policy enforcement, so the ones above should as
    well. Without adding policy enforcement for the above APIs, all roles
    can peform the delete APIs noted above.

    Change-Id: I8cd6eb26b0d3401fa4667384c31e4c56d838d42b
    Closes-Bug: #1782840
    Co-Authored-By: <email address hidden>

Changed in glance:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-04-14: Fix included in openstack/glance 20.0.0.0b3

This issue was fixed in the openstack/glance 20.0.0.0b3 development milestone.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.