Public bug reported: All os-server-groups REST calls use same rule (https://github.com/openstack/nova/blob/master/nova/policies/server_groups.py#L29-L31) instead of having a separate rule for create, delete, show and list actions on server_groups. This takes away control of RBAC at a REST api level and is incorrect.
Here are the references of rule being used with respective REST action. 1. create (https://github.com/openstack/nova/blob/stable/newton/nova/api/openstack/compute/server_groups.py#L136) 2. delete(https://github.com/openstack/nova/blob/stable/newton/nova/api/openstack/compute/server_groups.py#L89) 3. show (https://github.com/openstack/nova/blob/stable/newton/nova/api/openstack/compute/server_groups.py#L78) 4. list(https://github.com/openstack/nova/blob/stable/newton/nova/api/openstack/compute/server_groups.py#L120) seen in newton ** Affects: nova Importance: Undecided Assignee: prashkre (prashkre) Status: New ** Changed in: nova Assignee: (unassigned) => prashkre (prashkre) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1636157 Title: os-server-groups uses same policy.json rule for all CRUD operations Status in OpenStack Compute (nova): New Bug description: All os-server-groups REST calls use same rule (https://github.com/openstack/nova/blob/master/nova/policies/server_groups.py#L29-L31) instead of having a separate rule for create, delete, show and list actions on server_groups. This takes away control of RBAC at a REST api level and is incorrect. Here are the references of rule being used with respective REST action. 1. create (https://github.com/openstack/nova/blob/stable/newton/nova/api/openstack/compute/server_groups.py#L136) 2. delete(https://github.com/openstack/nova/blob/stable/newton/nova/api/openstack/compute/server_groups.py#L89) 3. show (https://github.com/openstack/nova/blob/stable/newton/nova/api/openstack/compute/server_groups.py#L78) 4. list(https://github.com/openstack/nova/blob/stable/newton/nova/api/openstack/compute/server_groups.py#L120) seen in newton To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1636157/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
