os-security-groups API policy is allowed for everyone even policy defaults is admin_or_owner
Bug #1870226 reported by
Ghanshyam Mann
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Low
|
Ghanshyam Mann |
Bug Description
os-security-groups server API policy is default to admin_or_owner[1] but API is allowed for everyone.
We can see the test trying with other project context can access the API
- https:/
This is because API does not pass the server project_id in policy target
- https:/
and if no target is passed then, policy.py add the default targets which is nothing but context.project_id (allow for everyone try to access)
- https:/
Changed in nova: | |
status: | New → Triaged |
importance: | Undecided → Low |
tags: | added: api |
Changed in nova: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
fixed in https:/ /review. opendev. org/#/c/ 716782