require_admin_context() does not account for policy.json rulesets
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Invalid
|
Medium
|
Unassigned |
Bug Description
The API RBAC is done using a policy.json file which allows fine-grained control over each API endpoint by setting specific rules.
Consequently, some defaulted admin-only endpoints can be opened by modifying their corresponding policy rules to be for anyone.
Unfortunately, in many places (in the DB and at the API level following the blueprint api-policy-v3 ), there is a call to context.
As we all agreed with api-policy-v3 that RBAC should be done at the API level, there is no reason to keep that call to context.
Changed in nova: | |
importance: | Undecided → Medium |
Changed in nova: | |
status: | New → Confirmed |
tags: | added: low-hanging-fruit |
Changed in nova: | |
assignee: | nobody → Zhenyu Zheng (zhengzhenyu) |
Changed in nova: | |
assignee: | Zhenyu Zheng (zhengzhenyu) → Diana Clarke (diana-clarke) |
Only wondering whether some operators utilize the admin check before so
the not allowed operations will became allowed now
the api-policy-v3 aims to backward compatible but this need Doc update and operator need to be awared?