OpenStack Compute (nova)

  1. Bug #1869841
  2. Comment #2

Comment 2 for bug 1869841

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.opendev.org/716165
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=cd0b96176ac8e51a88fc6f388b31f3758089d87c
Submitter: Zuul
Branch: master

commit cd0b96176ac8e51a88fc6f388b31f3758089d87c
Author: Ghanshyam Mann <email address hidden>
Date: Tue Mar 31 01:28:09 2020 -0500

    Fix unpause server policy to be admin_or_owner

    unpause server API policy is default to admin_or_owner[1] but API
    is allowed for everyone.

    We can see the test trying with other project context can access the API
    - https://review.opendev.org/#/c/716161/

    This is because API does not pass the server project_id in policy target[2]
    and if no target is passed then, policy.py add the default targets which is
    nothing but context.project_id (allow for everyone who try to access)[3]

    This commit fix this policy by passing the server's project_id in policy
    target.

    Closes-bug: #1869841
    Partial implement blueprint policy-defaults-refresh

    [1]
    - https://github.com/openstack/nova/blob/eb6bd04e4c27c70b5239dbe7c17607b37f4e87dd/nova/policies/pause_server.py#L38
    [2]
    - https://github.com/openstack/nova/blob/eb6bd04e4c27c70b5239dbe7c17607b37f4e87dd/nova/api/openstack/compute/pause_server.py#L58
    [3]
    - https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191

    Change-Id: Iacfaec63eb380863657b44c7f5ff14f6209e3857