[Yahoo-eng-team] [Bug 1782840] [NEW] No policy enforcement for several delete metadef APIs
Public bug reported: There is no policy enforcement for the following APIs: Delete namespace: https://developer.openstack.org/api-ref/image/v2 /metadefs-index.html#delete-namespace Delete object: https://developer.openstack.org/api-ref/image/v2 /metadefs-index.html#delete-object Remove resource type association: https://developer.openstack.org/api- ref/image/v2/metadefs-index.html#remove-resource-type-association Remove property definition: https://developer.openstack.org/api- ref/image/v2/metadefs-index.html#remove-property-definition Delete tag definition: https://developer.openstack.org/api-ref/image/v2 /metadefs-index.html#delete-tag-definition ** Affects: glance Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1782840 Title: No policy enforcement for several delete metadef APIs Status in Glance: New Bug description: There is no policy enforcement for the following APIs: Delete namespace: https://developer.openstack.org/api-ref/image/v2 /metadefs-index.html#delete-namespace Delete object: https://developer.openstack.org/api-ref/image/v2 /metadefs-index.html#delete-object Remove resource type association: https://developer.openstack.org/api- ref/image/v2/metadefs-index.html#remove-resource-type-association Remove property definition: https://developer.openstack.org/api- ref/image/v2/metadefs-index.html#remove-property-definition Delete tag definition: https://developer.openstack.org/api- ref/image/v2/metadefs-index.html#delete-tag-definition To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1782840/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1778994] [NEW] Compute services (os-services) API not granular enough by policy and code
Public bug reported: The Nova Compute services (os-services) API is not granular enough in the sense that multiple APIs check the same policy action for list, update, and delete. This does not allow operators with strict security requirements to have different roles that can perform certain APIs but not others - it currently is all or nothing. As it currently stands, listing, updating, and deleting compute services checks the single policy action 'os_compute_api:os-services' - which prevents operators who want read only roles or other sub-admin type roles. To further achieve RBAC granularity, new policy actions should be introduced and checked by the os-services API. ** Affects: nova Importance: Undecided Assignee: Rick Bartra (rb560u) Status: New ** Changed in: nova Assignee: (unassigned) => Rick Bartra (rb560u) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1778994 Title: Compute services (os-services) API not granular enough by policy and code Status in OpenStack Compute (nova): New Bug description: The Nova Compute services (os-services) API is not granular enough in the sense that multiple APIs check the same policy action for list, update, and delete. This does not allow operators with strict security requirements to have different roles that can perform certain APIs but not others - it currently is all or nothing. As it currently stands, listing, updating, and deleting compute services checks the single policy action 'os_compute_api:os-services' - which prevents operators who want read only roles or other sub-admin type roles. To further achieve RBAC granularity, new policy actions should be introduced and checked by the os-services API. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1778994/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1675147] [NEW] Compute flavor management not granular enough by policy and code
Public bug reported: We need the Nova policy and code to support more granularity (i.e. Create/Read/Update/Delete) for Flavor management. Current policy check only checks os_compute_api:os-flavor-manage and action(s) are missing in the nova policy-in-code. Each API should have its own policy action that it checks. The new policy checks should be added here: https://github.com/openstack/nova/blob/master/nova/api/openstack/compute/flavor_manage.py Additional policy actions should be added here: https://github.com/openstack/nova/blob/master/nova/policies/flavor_manage.py ** Affects: nova Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1675147 Title: Compute flavor management not granular enough by policy and code Status in OpenStack Compute (nova): New Bug description: We need the Nova policy and code to support more granularity (i.e. Create/Read/Update/Delete) for Flavor management. Current policy check only checks os_compute_api:os-flavor-manage and action(s) are missing in the nova policy-in-code. Each API should have its own policy action that it checks. The new policy checks should be added here: https://github.com/openstack/nova/blob/master/nova/api/openstack/compute/flavor_manage.py Additional policy actions should be added here: https://github.com/openstack/nova/blob/master/nova/policies/flavor_manage.py To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1675147/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1638344] [NEW] Horizon checks a neutron policy.json action that does not exists - "remove_router" doesn't exists in the neutron policy.json
Public bug reported: Horizon checks the "remove_router" neutron action which doesn't exists in the neutron policy.json. Neutron also doesn't check the "remove_router" action in the policy.json when performing the "neutron firewall-update --no-routers" CLI command. Horizon policy check: https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/firewalls/tables.py#L251 Neutron policy file in Horizon: https://github.com/openstack/horizon/blob/master/openstack_dashboard/conf/neutron_policy.json Neutron policy file in Neutron: https://github.com/openstack/neutron/blob/master/etc/policy.json ** Affects: horizon Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/1638344 Title: Horizon checks a neutron policy.json action that does not exists - "remove_router" doesn't exists in the neutron policy.json Status in OpenStack Dashboard (Horizon): New Bug description: Horizon checks the "remove_router" neutron action which doesn't exists in the neutron policy.json. Neutron also doesn't check the "remove_router" action in the policy.json when performing the "neutron firewall-update --no-routers" CLI command. Horizon policy check: https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/firewalls/tables.py#L251 Neutron policy file in Horizon: https://github.com/openstack/horizon/blob/master/openstack_dashboard/conf/neutron_policy.json Neutron policy file in Neutron: https://github.com/openstack/neutron/blob/master/etc/policy.json To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1638344/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
