OpenStack Compute (nova)

os-volumes-attachments API policy is allowed for everyone even policy defaults is admin_or_owner

Bug #1864776 reported by Brin Zhang
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Undecided
Brin Zhang
Brin Zhang (zhangbailin)
Changed in nova:
assignee: nobody → Brin Zhang (zhangbailin)
status: New → Confirmed
tags: added: policy
tags: added: policy-defaults-refresh
Revision history for this message
Brin Zhang (zhangbailin) wrote :

Same as in os-volumes API, with bug 1864777

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.opendev.org/709955

Changed in nova:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.opendev.org/709955
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=763d220504d1e1ef01231bdfbe0f390d28d850b7
Submitter: Zuul
Branch: master

commit 763d220504d1e1ef01231bdfbe0f390d28d850b7
Author: zhangbailin <email address hidden>
Date: Wed Feb 26 14:32:52 2020 +0800

    Fix os-volumes-attachments policy to be admin_or_owner

    os-volumes-attachments API policy is default to admin_or_owner[1]
    but API is allowed for everyone.

    We can see the test trying with other project context can access the API
      - https://review.opendev.org/#/c/709929/1/nova/tests/unit/policies/test_volumes.py@84

    This is because API does not pass the server project_id in policy
    target, impact APIs:

    index: https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/api/openstack/compute/volumes.py#L282
    show: https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/api/openstack/compute/volumes.py#L307
    create: https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/api/openstack/compute/volumes.py#L337
    delete: https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/api/openstack/compute/volumes.py#L440

    And if no target is passed then, policy.py add the default targets which
    is nothing but context.project_id (allow for everyone try to access)
      - https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191

    [1]https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policies/volumes_attachments.py#L21

    Closes-bug: #1864776

    Change-Id: Iff0d8024ee1faeaecb44d717bd870bcd32c8d99c

Changed in nova:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.