os-volumes-attachments API policy is allowed for everyone even policy defaults is admin_or_owner
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Undecided
|
Brin Zhang |
Bug Description
os-volumes-
We can see the test trying with other project context can access the API
- https:/
This is because API does not pass the server project_id in policy target
index-https:/
and if no target is passed then, policy.py add the default targets which is nothing but context.project_id (allow for everyone try to access)
- https:/
Changed in nova: | |
assignee: | nobody → Brin Zhang (zhangbailin) |
status: | New → Confirmed |
tags: | added: policy |
tags: | added: policy-defaults-refresh |
Same as in os-volumes API, with bug 1864777