** Changed in: nova
Importance: Undecided => Wishlist
** Changed in: nova
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1187104
Title:
Implement policy check for object ownership
Status in OpenStack Compute (Nova):
Invalid
Bug description:
As far as I can tell, there is no policy check for resource ownership.
The current policy checks support: all, none, role-membership, and
tenant-membership. This means that the most minimal policy for an action, e.g.
"compute:delete" is "role:Name and tenant_id:%(tenant_id)s".
This role would allows any member of a project to delete any instance, which
is a problem!
We need something like:
"owns:%(resource_id)" which checks the "user_id" field associated with the
resource?
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1187104/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
