os-deferred-delete restore server API policy is allowed for everyone even policy defaults is admin_or_owner
Bug #1863009 reported by
Ghanshyam Mann
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Undecided
|
John Garbutt |
Bug Description
os-deferred-delete restore server API policy is default to admin_or_owner[1] but API is allowed for everyone.
We can see the test trying with other project context can access the API
- https:/
This is because API does not pass the server project_id in policy target
- https:/
and if no target is passed then, policy.py add the default targets which is nothing but context.project_id (allow for everyone try to access)
- https:/
tags: | added: api-policy |
tags: |
added: policy-defaults-refresh removed: api-policy |
Changed in nova: | |
assignee: | Ghanshyam Mann (ghanshyammann) → John Garbutt (johngarbutt) |
tags: |
added: policy removed: policy-defaults-refresh |
To post a comment you must log in.
Fix proposed to branch: master /review. opendev. org/707457
Review: https:/