Yes, this isn't cause security vulnerability. We just add hard-
permission checks in the v2 API, that make the flavor api is
unconfiguable by policy.json. We just need remove the hard-code
permission checks.
** Changed in: ossa
Status: Incomplete => Invalid
** Tags removed: security
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1445335
Title:
create/delete flavor permissions should be controlled by policy.json
Status in OpenStack Compute (Nova):
In Progress
Status in OpenStack Security Advisories:
Invalid
Bug description:
The create/delete flavor rest api always expects the user to be of
admin privileges and ignores the rule defined in the nova/policy.json.
This behavior is observed after these changes >>
https://review.openstack.org/#/c/150352/.
The expected behavior is that the permissions are controlled as per
the rule defined in the policy file and should not mandate that only
an admin should be able to create/delete a flavor
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1445335/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
