This is because API does not pass the server project_id in policy target[2]
and if no target is passed then, policy.py add the default targets which is
nothing but context.project_id (allow for everyone who try to access)[3]
This commit fix this policy by passing the server's project_id in policy
target.
Reviewed: https:/ /review. opendev. org/716165 /git.openstack. org/cgit/ openstack/ nova/commit/ ?id=cd0b96176ac 8e51a88fc6f388b 31f3758089d87c
Committed: https:/
Submitter: Zuul
Branch: master
commit cd0b96176ac8e51 a88fc6f388b31f3 758089d87c
Author: Ghanshyam Mann <email address hidden>
Date: Tue Mar 31 01:28:09 2020 -0500
Fix unpause server policy to be admin_or_owner
unpause server API policy is default to admin_or_owner[1] but API
is allowed for everyone.
We can see the test trying with other project context can access the API /review. opendev. org/#/c/ 716161/
- https:/
This is because API does not pass the server project_id in policy target[2]
and if no target is passed then, policy.py add the default targets which is
nothing but context.project_id (allow for everyone who try to access)[3]
This commit fix this policy by passing the server's project_id in policy
target.
Closes-bug: #1869841 defaults- refresh
Partial implement blueprint policy-
[1] /github. com/openstack/ nova/blob/ eb6bd04e4c27c70 b5239dbe7c17607 b37f4e87dd/ nova/policies/ pause_server. py#L38 /github. com/openstack/ nova/blob/ eb6bd04e4c27c70 b5239dbe7c17607 b37f4e87dd/ nova/api/ openstack/ compute/ pause_server. py#L58 /github. com/openstack/ nova/blob/ c16315165ce307c 605cf4b608b2df3 aa06f46982/ nova/policy. py#L191
- https:/
[2]
- https:/
[3]
- https:/
Change-Id: Iacfaec63eb3808 63657b44c7f5ff1 4f6209e3857