Default policy allows unrestricted CRUD on os-server-tags

Bug #1581203 reported by Ryan Rossiter on 2016-05-12
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Medium
Sujitha

Bug Description

The default policy for os-server-tags listed here (https://github.com/openstack/nova/blob/master/etc/nova/policy.json#L448-L453) allow all users to do any CRUD operations on all server tags. This should be limited down to only admin_or_owner.

Fix proposed to branch: master
Review: https://review.openstack.org/315757

Changed in nova:
assignee: nobody → Ryan Rossiter (rlrossit)
status: New → In Progress
Matt Riedemann (mriedem) on 2016-05-12
tags: added: api policy tags
Changed in nova:
importance: Undecided → Medium

Change abandoned by Matt Riedemann (<email address hidden>) on branch: master
Review: https://review.openstack.org/315757
Reason: Looks like this isn't being worked on anymore so I'm going to abandon it.

Cleanup
=======

There are no open reviews for this bug report since more than 2 weeks.
To signal that to other contributors which might provide patches for
this bug, I switch the status from "In Progress" to "Confirmed" and
remove the assignee.
Feel free to add yourself as assignee and to push a review for it.

Changed in nova:
status: In Progress → Confirmed
assignee: Ryan Rossiter (rlrossit) → nobody
Sujitha (sujitha-neti) on 2016-10-07
Changed in nova:
assignee: nobody → Sujitha (sujitha-neti)
surbhi sarda (surbhisarda) wrote :

@Ryan Rossite the link you have specified in the bug description is not a valid one. Can you please check on it.

Fix proposed to branch: master
Review: https://review.openstack.org/396420

Changed in nova:
status: Confirmed → In Progress

Reviewed: https://review.openstack.org/396420
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=f0c0621aa09a6f659e9080313962b99adbb63459
Submitter: Jenkins
Branch: master

commit f0c0621aa09a6f659e9080313962b99adbb63459
Author: Sujitha <email address hidden>
Date: Thu Nov 3 17:16:56 2016 +0000

    Change os-server-tags default policy

    os-server-tags operations should be limited only to admin or owner
    of the server. This patch changes the default policy to
    from ANY to ADMIN_OR_OWNER.

    This patch doesn't address the actual policy check at the API level.
    This would be fixed as part of a wider effort. For now, we maintain
    consistency with other similar APIs.

    Change-Id: If5f48fad9f040dd08060b4a86858a3b223550956
    Closes-Bug: #1581203

Changed in nova:
status: In Progress → Fix Released

This issue was fixed in the openstack/nova 16.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers