OpenStack Compute (nova)

require_admin_context() does not account for policy.json rulesets

Bug #1447164 reported by Sylvain Bauza
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Invalid
Medium
Unassigned

Bug Description

The API RBAC is done using a policy.json file which allows fine-grained control over each API endpoint by setting specific rules.
Consequently, some defaulted admin-only endpoints can be opened by modifying their corresponding policy rules to be for anyone.

Unfortunately, in many places (in the DB and at the API level following the blueprint api-policy-v3 ), there is a call to context.require_admin_context() which is just checking if the user is admin or no but doesn't match with the policy rules.

As we all agreed with api-policy-v3 that RBAC should be done at the API level, there is no reason to keep that call to context.require_admin_context() and we should assume that policy.json is the single source of truth for knowing the access rights.

Sylvain Bauza (sylvain-bauza)
Changed in nova:
importance: Undecided → Medium
Revision history for this message
jichenjc (jichenjc) wrote :

Only wondering whether some operators utilize the admin check before so
the not allowed operations will became allowed now

the api-policy-v3 aims to backward compatible but this need Doc update and operator need to be awared?

Revision history for this message
Matt Riedemann (mriedem) wrote :

I don't disagree, see bug 1168488 from way back in grizzly.

The only thing would be we'd have to make sure the default rule is admin for any v2 extensions which are enforcing an admin context today.

Sylvain Bauza (sylvain-bauza)
Changed in nova:
status: New → Confirmed
tags: added: low-hanging-fruit
Zhenyu Zheng (zhengzhenyu)
Changed in nova:
assignee: nobody → Zhenyu Zheng (zhengzhenyu)
Diana Clarke (diana-clarke)
Changed in nova:
assignee: Zhenyu Zheng (zhengzhenyu) → Diana Clarke (diana-clarke)
Revision history for this message
Diana Clarke (diana-clarke) wrote :

There are currently 41 calls to require_admin_context:

    nova_context.require_admin_context(context)

All of them are in:

    nova/api/openstack/compute/legacy_v2/contrib/

Each one of those calls is prefixed by a similar comment:

        # NOTE(alex_xu): back-compatible with db layer hard-code admin
        # permission checks.
        nova_context.require_admin_context(context)

And this comment addresses the question this bug raises:

        # NOTE(alex_xu): back-compatible with db layer hard-code admin
        # permission checks. This has to be left only for API v2.0 because
        # this version has to be stable even if it means that only admins
        # can call this method while the policy could be changed.
        nova_context.require_admin_context(context)

I suspect (but I could be wrong) that there was consensus to stop here with these API policy/permission check changes.

Can someone please confirm that the direction this bug proposes is still desired? Thanks!

If not... then we can close this bug.

Revision history for this message
Alex Xu (xuhj) wrote :

Actually in the original spec, we said keep the v2 API behavior as the same https://github.com/openstack/nova-specs/blob/master/specs/kilo/approved/nova-api-policy.rst

So we add back-compatible check to the legacy v2 API. And this legacy v2 API already deprecated, so I think it's worth to do it.

I prefer to close the bug...

Revision history for this message
Diana Clarke (diana-clarke) wrote :

Thanks for the additional context, Alex. I'll close this bug (mark it as invalid).

Changed in nova:
status: Confirmed → Invalid
assignee: Diana Clarke (diana-clarke) → nobody
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.