Add missing 'target_obj' when perform policy check
Generally, we have to pass target object to ``authorize``
when enforce policy check, but this is ignored during
our develop and review process for a long time, and the
potential issue is anyone can handle the target resource
as ``authorize`` will always succeed if rule is defined
``admin_or_owner`` [1]. Luckily, for most of those APIs
this security concern is protected by our database access
code [2] that only project scope resource is allowed.
However, there is one API that do have security issue when
administrator change the rule into "admin_or_owner".
1. "volume reset_status", which cinder will update the
resource directly in the database, procedure to reproduce
bug is described on the launchpad.
This patch intends to correct most of cases which can be
easily figured out in case of future code changes.
Reviewed: https:/ /review. openstack. org/593675 /git.openstack. org/cgit/ openstack/ cinder/ commit/ ?id=76d3c644f3f 5866a5c07f80b66 132d81b8b57e78
Committed: https:/
Submitter: Zuul
Branch: stable/queens
commit 76d3c644f3f5866 a5c07f80b66132d 81b8b57e78
Author: TommyLike <email address hidden>
Date: Wed Feb 28 16:14:17 2018 +0000
Add missing 'target_obj' when perform policy check
Generally, we have to pass target object to ``authorize`` or_owner` ` [1]. Luckily, for most of those APIs
when enforce policy check, but this is ignored during
our develop and review process for a long time, and the
potential issue is anyone can handle the target resource
as ``authorize`` will always succeed if rule is defined
``admin_
this security concern is protected by our database access
code [2] that only project scope resource is allowed.
However, there is one API that do have security issue when
administrator change the rule into "admin_or_owner".
1. "volume reset_status", which cinder will update the
resource directly in the database, procedure to reproduce
bug is described on the launchpad.
This patch intends to correct most of cases which can be
easily figured out in case of future code changes.
[1]: http:// git.openstack. org/cgit/ openstack/ cinder/ tree/cinder/ context. py?id=73e6e3c14 7fc357031834d0a c28478d061e6120 c#n206 git.openstack. org/cgit/ openstack/ cinder/ tree/cinder/ db/sqlalchemy/ api.py? id=73e6e3c147fc 357031834d0ac28 478d061e6120c# n3058 git.openstack. org/cgit/ openstack/ cinder/ tree/cinder/ api/contrib/ admin_actions. py?id=73e6e3c14 7fc357031834d0a c28478d061e6120 c#n161
[2]: http://
[3]: http://
Conflicts:
cinder/ api/contrib/ volume_ image_metadata. py
Partial-Bug: #1714858 da8d854d4038d64 ca7be17390f 247fc1d1f435200 87a6a10267)
Change-Id: I351b3ddf8dfe29
(cherry picked from commit 7391070474269dc
Signed-off-by: Sean McGinnis <email address hidden>