OpenStack Compute (nova)

os-security-groups API policy is allowed for everyone even policy defaults is admin_or_owner

Bug #1870226 reported by Ghanshyam Mann
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Low
Ghanshyam Mann

Bug Description

os-security-groups server API policy is default to admin_or_owner[1] but API is allowed for everyone.

We can see the test trying with other project context can access the API
- https://review.opendev.org/#/c/716779/

This is because API does not pass the server project_id in policy target
- https://github.com/openstack/nova/blob/7b51647f17c88c7c1ae321c59ab8a98c586d4b67/nova/api/openstack/compute/security_groups.py#L427

and if no target is passed then, policy.py add the default targets which is nothing but context.project_id (allow for everyone try to access)
- https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191

[1]
- https://github.com/openstack/nova/blob/7b51647f17c88c7c1ae321c59ab8a98c586d4b67/nova/policies/security_groups.py#L27

See original description
Tags: policy
Balazs Gibizer (balazs-gibizer)
Changed in nova:
status: New → Triaged
importance: Undecided → Low
tags: added: api
Revision history for this message
Ghanshyam Mann (ghanshyammann) wrote :

fixed in https://review.opendev.org/#/c/716782

Changed in nova:
assignee: nobody → Ghanshyam Mann (ghanshyammann)
status: Triaged → Fix Committed
tags: added: policy
removed: api
description: updated
Balazs Gibizer (balazs-gibizer)
Changed in nova:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.