Comment 69 for bug 2004555

Revision history for this message
Brian Rosmaita (brian-rosmaita) wrote : Re: [ussuri] Wrong volume attachment - volumes overlapping when connected through iscsi on host

@Gorka: nice work finding the policy-based workaround!

The service_* properties have been exposed in oslo.context since 2.12.0 (Ocata) (commit 2eafb0eb6b0898), which, coincidentally is when the Attachments API that allows the exploit was introduced.

oslo.policy has been supporting a yaml policy file since 1.10.0 (Newton) (commit 83d209e9ed1a1f7f70) , so we'd only need to provide an example yaml file.

One thing we should mention is that for safety, the policy file should be explicitly mentioned in the configuration file for each service as the value of the [oslo_policy] policy_file option. That's because since Queens, if a policy_file isn't found, the policies defined in code are used, and until Wallaby or Xena, the default value for policy_file in most services was policy.json (which would mean that a policy.yaml file would be ignored in the default configuration). Likewise, in recent releases, a policy.json file is ignored in the default configuration, so it's safest to configure this explicitly.