Reviewed: https://review.opendev.org/709955 Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=763d220504d1e1ef01231bdfbe0f390d28d850b7 Submitter: Zuul Branch: master
commit 763d220504d1e1ef01231bdfbe0f390d28d850b7 Author: zhangbailin <email address hidden> Date: Wed Feb 26 14:32:52 2020 +0800
Fix os-volumes-attachments policy to be admin_or_owner
os-volumes-attachments API policy is default to admin_or_owner[1] but API is allowed for everyone.
We can see the test trying with other project context can access the API - https://review.opendev.org/#/c/709929/1/nova/tests/unit/policies/test_volumes.py@84
This is because API does not pass the server project_id in policy target, impact APIs:
index: https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/api/openstack/compute/volumes.py#L282 show: https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/api/openstack/compute/volumes.py#L307 create: https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/api/openstack/compute/volumes.py#L337 delete: https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/api/openstack/compute/volumes.py#L440
And if no target is passed then, policy.py add the default targets which is nothing but context.project_id (allow for everyone try to access) - https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191
[1]https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policies/volumes_attachments.py#L21
Closes-bug: #1864776
Change-Id: Iff0d8024ee1faeaecb44d717bd870bcd32c8d99c
Reviewed: https:/ /review. opendev. org/709955 /git.openstack. org/cgit/ openstack/ nova/commit/ ?id=763d220504d 1e1ef01231bdfbe 0f390d28d850b7
Committed: https:/
Submitter: Zuul
Branch: master
commit 763d220504d1e1e f01231bdfbe0f39 0d28d850b7
Author: zhangbailin <email address hidden>
Date: Wed Feb 26 14:32:52 2020 +0800
Fix os-volumes- attachments policy to be admin_or_owner
os- volumes- attachments API policy is default to admin_or_owner[1]
but API is allowed for everyone.
We can see the test trying with other project context can access the API /review. opendev. org/#/c/ 709929/ 1/nova/ tests/unit/ policies/ test_volumes. py@84
- https:/
This is because API does not pass the server project_id in policy
target, impact APIs:
index: https:/ /github. com/openstack/ nova/blob/ c16315165ce307c 605cf4b608b2df3 aa06f46982/ nova/api/ openstack/ compute/ volumes. py#L282 /github. com/openstack/ nova/blob/ c16315165ce307c 605cf4b608b2df3 aa06f46982/ nova/api/ openstack/ compute/ volumes. py#L307 /github. com/openstack/ nova/blob/ c16315165ce307c 605cf4b608b2df3 aa06f46982/ nova/api/ openstack/ compute/ volumes. py#L337 /github. com/openstack/ nova/blob/ c16315165ce307c 605cf4b608b2df3 aa06f46982/ nova/api/ openstack/ compute/ volumes. py#L440
show: https:/
create: https:/
delete: https:/
And if no target is passed then, policy.py add the default targets which /github. com/openstack/ nova/blob/ c16315165ce307c 605cf4b608b2df3 aa06f46982/ nova/policy. py#L191
is nothing but context.project_id (allow for everyone try to access)
- https:/
[1]https:/ /github. com/openstack/ nova/blob/ c16315165ce307c 605cf4b608b2df3 aa06f46982/ nova/policies/ volumes_ attachments. py#L21
Closes-bug: #1864776
Change-Id: Iff0d8024ee1fae aecb44d717bd870 bcd32c8d99c