I quite like Gorkar's policy workarounds using the service_user tokens. That would help our operators to just modify their configurations without needing to upgrade some z-release and then the exploit wouldn't be possible.
For this specific reason, unless we change the fix to use other APIs from Nova that are more older (but honestly, I don't really know which ones) or we explain in the vulnerability details that you need to use the policy workarounds if you're older than Xena.
I quite like Gorkar's policy workarounds using the service_user tokens. That would help our operators to just modify their configurations without needing to upgrade some z-release and then the exploit wouldn't be possible.
I also looked at https:/ /bugs.launchpad .net/nova/ +bug/2004555/ +attachment/ 5656303/ +files/ cinder- 2004555. patch and I'm quite OK with it, but I have a concern : if we want to backport it, then we could only do it down to only Xena as 2.89 is only there in that release. /docs.openstack .org/nova/ latest/ reference/ api-microversio n-history. html#microversi on-2-89
https:/
For this specific reason, unless we change the fix to use other APIs from Nova that are more older (but honestly, I don't really know which ones) or we explain in the vulnerability details that you need to use the policy workarounds if you're older than Xena.