OpenStack Compute (nova)

servers actions (many) API policy is allowed for everyone even policy defaults is admin_or_owner

Bug #1871665 reported by Ghanshyam Mann
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
High
Ghanshyam Mann

Bug Description

server actions like confirm_resize, reboot etc API policy is default to admin_or_owner[1] but API is allowed for everyone.

We can see the test trying with other project context can access the API
- https://review.opendev.org/#/c/718348/

This is because API does not pass the server project_id in policy target
- https://github.com/openstack/nova/blob/cd16ae25c865f25dbb313976b3d8ef9372db80af/nova/api/openstack/compute/servers.py#L872

and if no target is passed then, policy.py add the default targets which is nothing but context.project_id (allow for everyone try to access)
- https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191

[1]
- https://github.com/openstack/nova/blob/cd16ae25c865f25dbb313976b3d8ef9372db80af/nova/policies/servers.py#L285

Tags: api policy
Ghanshyam Mann (ghanshyammann)
affects: neutron → nova
tags: added: policy
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.opendev.org/718501

Changed in nova:
assignee: nobody → Ghanshyam Mann (ghanshyammann)
status: New → In Progress
Sylvain Bauza (sylvain-bauza)
Changed in nova:
status: In Progress → Confirmed
importance: Undecided → High
tags: added: api
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.opendev.org/718501
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=2a4a7162099ebb61c6d5eb5b410f710b3509a031
Submitter: Zuul
Branch: master

commit 2a4a7162099ebb61c6d5eb5b410f710b3509a031
Author: Ghanshyam Mann <email address hidden>
Date: Wed Apr 8 10:38:49 2020 -0500

    Fix servers policy for admin_or_owner

    servers API policy is default to admin_or_owner[1] but API
    is allowed for everyone.

    We can see the test trying with other project context can access the API
    - https://review.opendev.org/#/c/717204

    This is because API does not pass the server project_id in policy target[2]
    and if no target is passed then, policy.py add the default targets which is
    nothing but context.project_id (allow for everyone who try to access)[3]

    This commit fix this policy by passing the server's project_id in policy
    target.

    Closes-bug: #1871665
    Partial implement blueprint policy-defaults-refresh

    [1] https://github.com/openstack/nova/blob/cd16ae25c865f25dbb313976b3d8ef9372db80af/nova/policies/servers.py#L285
    [2] https://github.com/openstack/nova/blob/cd16ae25c865f25dbb313976b3d8ef9372db80af/nova/api/openstack/compute/servers.py#L872
    [3] https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191

    Change-Id: Ia8234fd9f4ee1871d6f225c8bd4e4adc5289d605

Changed in nova:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.