OpenStack Compute (nova)

Default policy allows unrestricted CRUD on os-server-tags

Bug #1581203 reported by Ryan Rossiter
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Medium
Sujitha

Bug Description

The default policy for os-server-tags listed here (https://github.com/openstack/nova/blob/master/etc/nova/policy.json#L448-L453) allow all users to do any CRUD operations on all server tags. This should be limited down to only admin_or_owner.

Tags: api policy tags
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/315757

Changed in nova:
assignee: nobody → Ryan Rossiter (rlrossit)
status: New → In Progress
Matt Riedemann (mriedem)
tags: added: api policy tags
Changed in nova:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on nova (master)

Change abandoned by Matt Riedemann (<email address hidden>) on branch: master
Review: https://review.openstack.org/315757
Reason: Looks like this isn't being worked on anymore so I'm going to abandon it.

Revision history for this message
Markus Zoeller (markus_z) (mzoeller) wrote :

Cleanup
=======

There are no open reviews for this bug report since more than 2 weeks.
To signal that to other contributors which might provide patches for
this bug, I switch the status from "In Progress" to "Confirmed" and
remove the assignee.
Feel free to add yourself as assignee and to push a review for it.

Changed in nova:
status: In Progress → Confirmed
assignee: Ryan Rossiter (rlrossit) → nobody
Sujitha (sujitha-neti)
Changed in nova:
assignee: nobody → Sujitha (sujitha-neti)
Revision history for this message
surbhi sarda (surbhisarda) wrote :

@Ryan Rossite the link you have specified in the bug description is not a valid one. Can you please check on it.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/396420

Changed in nova:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/396420
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=f0c0621aa09a6f659e9080313962b99adbb63459
Submitter: Jenkins
Branch: master

commit f0c0621aa09a6f659e9080313962b99adbb63459
Author: Sujitha <email address hidden>
Date: Thu Nov 3 17:16:56 2016 +0000

    Change os-server-tags default policy

    os-server-tags operations should be limited only to admin or owner
    of the server. This patch changes the default policy to
    from ANY to ADMIN_OR_OWNER.

    This patch doesn't address the actual policy check at the API level.
    This would be fixed as part of a wider effort. For now, we maintain
    consistency with other similar APIs.

    Change-Id: If5f48fad9f040dd08060b4a86858a3b223550956
    Closes-Bug: #1581203

Changed in nova:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 16.0.0.0b1

This issue was fixed in the openstack/nova 16.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.