OpenStack Compute (nova)

unpause server API policy is allowed for everyone even policy defaults is admin_or_owner

Bug #1869841 reported by Ghanshyam Mann on 2020-03-31

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	Undecided	Ghanshyam Mann

Bug Description

unpause server API policy is default to admin_or_owner[1] but API is allowed for everyone.

We can see the test trying with other project context can access the API
- https://review.opendev.org/#/c/716161//1

This is because API does not pass the server project_id in policy target
- https://github.com/openstack/nova/blob/eb6bd04e4c27c70b5239dbe7c17607b37f4e87dd/nova/api/openstack/compute/pause_server.py#L58

and if no target is passed then, policy.py add the default targets which is nothing but context.project_id (allow for everyone try to access)
- https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191

[1]
- https://github.com/openstack/nova/blob/eb6bd04e4c27c70b5239dbe7c17607b37f4e87dd/nova/policies/pause_server.py#L38

Tags:

Ghanshyam Mann (ghanshyammann) on 2020-03-31

tags:

added: policy

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-03-31: Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.opendev.org/716165

Changed in nova:
assignee:	nobody → Ghanshyam Mann (ghanshyammann)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-04-01: Fix merged to nova (master)

Reviewed: https://review.opendev.org/716165
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=cd0b96176ac8e51a88fc6f388b31f3758089d87c
Submitter: Zuul
Branch: master

commit cd0b96176ac8e51a88fc6f388b31f3758089d87c
Author: Ghanshyam Mann <email address hidden>
Date: Tue Mar 31 01:28:09 2020 -0500

Fix unpause server policy to be admin_or_owner

unpause server API policy is default to admin_or_owner[1] but API
is allowed for everyone.

We can see the test trying with other project context can access the API
- https://review.opendev.org/#/c/716161/

    This is because API does not pass the server project_id in policy target[2]
    and if no target is passed then, policy.py add the default targets which is
    nothing but context.project_id (allow for everyone who try to access)[3]

This commit fix this policy by passing the server's project_id in policy
target.

Closes-bug: #1869841
Partial implement blueprint policy-defaults-refresh

    [1]
    - https://github.com/openstack/nova/blob/eb6bd04e4c27c70b5239dbe7c17607b37f4e87dd/nova/policies/pause_server.py#L38
    [2]
    - https://github.com/openstack/nova/blob/eb6bd04e4c27c70b5239dbe7c17607b37f4e87dd/nova/api/openstack/compute/pause_server.py#L58
    [3]
    - https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191

Change-Id: Iacfaec63eb380863657b44c7f5ff14f6209e3857

Changed in nova:
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.