OpenStack Compute (nova)

os-attach-interfaces API policy is allowed for everyone even policy defaults is admin_or_owner

Bug #1861464 reported by Ghanshyam Mann
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Low
John Garbutt

Bug Description

os-attach-interfaces APi policy is default to admin_or_owner[1] but API is allowed for everyone.

We can see the test trying with other project context can access the API
- https://review.opendev.org/#/c/705126/1

This is because API does not pass the server project_id in policy target
- https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/api/openstack/compute/attach_interfaces.py#L70

and if no target is passed then, policy.py add the default targets which is nothing but context.project_id (allow for everyone try to access)
- https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191

[1]
- https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policies/attach_interfaces.py#L28

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.opendev.org/705135

Changed in nova:
assignee: nobody → Ghanshyam Mann (ghanshyammann)
status: New → In Progress
Revision history for this message
melanie witt (melwitt) wrote :

Setting this as low given how latent the bug is.

Changed in nova:
importance: Undecided → Low
Ghanshyam Mann (ghanshyammann)
tags: added: policy-defaults-refresh
melanie witt (melwitt)
tags: added: policy
OpenStack Infra (hudson-openstack)
Changed in nova:
assignee: Ghanshyam Mann (ghanshyammann) → John Garbutt (johngarbutt)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.opendev.org/705135
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=728f2b215e0b9f12ea256acb1e39f7b93d918e6f
Submitter: Zuul
Branch: master

commit 728f2b215e0b9f12ea256acb1e39f7b93d918e6f
Author: Ghanshyam <email address hidden>
Date: Thu Jan 30 18:18:39 2020 -0600

    Fix os-attach-interfaces policy to be admin_or_owner

    os-attach-interfaces APi policy is default to admin_or_owner[1] but API
    is allowed for everyone.

    We can see the test trying with other project context can access the API
    - https://review.opendev.org/#/c/705126/1

    This is because API does not pass the server project_id in policy target[2]
    and if no target is passed then, policy.py add the default targets which is
    nothing but context.project_id (allow for everyone who try to access)[3]

    This commit fix this policy by passing the server's project_id in policy
    target.

    [1] https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policies/attach_interfaces.py#L28
    [2] https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/api/openstack/compute/attach_interfaces.py#L70
    [3] https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191
    Closes-bug: #1861464

    Change-Id: I1e2247884169e6ba3e5302be4323428c67ce7a10

Changed in nova:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.