OpenStack Compute (nova)

server topology API policy is allowed for everyone even policy defaults is admin_or_owner

Bug #1870872 reported by Ghanshyam Mann
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Undecided
Stephen Finucane

Bug Description

server topology index policy is default to admin_or_owner[1] but API is allowed for everyone.

We can see the test trying with other project context can access the API
- https://review.opendev.org/#/c/717524/

This is because API does not pass the server project_id in policy target
- https://github.com/openstack/nova/blob/e4ac401d1a9d5fba24bc22141b362a5400d9d096/nova/api/openstack/compute/server_topology.py#L30

and if no target is passed then, policy.py add the default targets which is nothing but context.project_id (allow for everyone try to access)
- https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191

[1]
- https://github.com/openstack/nova/blob/e4ac401d1a9d5fba24bc22141b362a5400d9d096/nova/policies/server_topology.py#L24

Tags: policy
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.opendev.org/717525

Changed in nova:
assignee: nobody → Ghanshyam Mann (ghanshyammann)
status: New → In Progress
Ghanshyam Mann (ghanshyammann)
tags: added: policy
OpenStack Infra (hudson-openstack)
Changed in nova:
assignee: Ghanshyam Mann (ghanshyammann) → Stephen Finucane (stephenfinucane)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.opendev.org/717525
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=88e399c98b2abd3e851b1c1c5124d5f1899d6f19
Submitter: Zuul
Branch: master

commit 88e399c98b2abd3e851b1c1c5124d5f1899d6f19
Author: Ghanshyam Mann <email address hidden>
Date: Sat Apr 4 23:48:33 2020 -0500

    Correct server topology policy check_str

    server topology API policy is default to admin_or_owner[1]
    but API is allowed (which is expected) for everyone.

    This is because API does not pass the project_id in policy
    target so that oslo policy can decide the ownership[2]. If no
    target is passed then, policy.py add the default targets which
    is nothing but context.project_id (allow for everyone try to access)
    - https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191

    Passing the server project_id as target to make it admin_or_owner.

    [1] https://github.com/openstack/nova/blob/e4ac401d1a9d5fba24bc22141b362a5400d9d096/nova/policies/server_topology.py#L24
    [2] https://github.com/openstack/nova/blob/e4ac401d1a9d5fba24bc22141b362a5400d9d096/nova/api/openstack/compute/server_topology.py#L30

    Change-Id: I3296e08f16adf95949822bc43c03ef42fed74a4a
    Closes-bug: #1870872

Changed in nova:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.