Nova ignores reader role conventions in default policies
Bug #1931571 reported by
Florian Faltermeier
This bug affects 3 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Expired
|
Undecided
|
Unassigned |
Bug Description
In keystone, if I grant someone the reader role on a project the readonly (role reader) user is able to create a new instance within the project.
Openstack Version: wallaby
1. Create a user within a project and add role reader to the user.
2. Login with the readonly user into the project and try to create an instance.
Florian
This sounds like you might not enabled the new policy default roles [1] in nova [2].
In nova, the new policy default roles need to be enabled in order to use them [3], for example:
[oslo_policy] new_defaults = True
enforce_
Can you confirm whether you have enabled this config?
I'm marking this bug as Incomplete for now and if you can respond with more information, you can set this bug back to New in order to alert us to your response.
[1] https:/ /docs.openstack .org/keystone/ latest/ /admin/ service- api-protection. html /docs.openstack .org/nova/ latest/ configuration/ policy- concepts. html /docs.openstack .org/nova/ latest/ configuration/ config. html#oslo_ policy. enforce_ new_defaults
[2] https:/
[3] https:/