@Eric Harney, @Jeremy Stanely, I think this bug not belongs to a Public Security or even Security/Critial bug as non-administrator still can not query the resource which doesn't in his tenant.
This bug is more about should we make our policy enforcement system work exactly as what is define, for instance:
we have our policy rule: admin_or_owner:
```
policy.RuleDefault('admin_or_owner', 'is_admin:True or (role:admin and ' 'is_admin_project:True) or project_id:%(project_id)s', description="Default rule for most non-Admin APIs."),
```
and enforce policy in code:
```
def get_snapshot(self, context, snapshot_id): context.authorize(snapshot_policy.GET_POLICY)
snapshot = objects.Snapshot.get_by_id(context, snapshot_id)
```
the problem is when non-administrator wants to query resource which doesn't below to his tenant, the authorize will always succeed and he will get a 404 rather than 403.
@Eric Harney, @Jeremy Stanely, I think this bug not belongs to a Public Security or even Security/Critial bug as non-administrator still can not query the resource which doesn't in his tenant.
This bug is more about should we make our policy enforcement system work exactly as what is define, for instance: RuleDefault( 'admin_ or_owner' ,
'is_admin: True or (role:admin and '
'is_admin_ project: True) or project_ id:%(project_ id)s',
description= "Default rule for most non-Admin APIs."),
context. authorize( snapshot_ policy. GET_POLICY) Snapshot. get_by_ id(context, snapshot_id)
we have our policy rule: admin_or_owner:
```
policy.
```
and enforce policy in code:
```
def get_snapshot(self, context, snapshot_id):
snapshot = objects.
```
the problem is when non-administrator wants to query resource which doesn't below to his tenant, the authorize will always succeed and he will get a 404 rather than 403.