Reviewed: https://review.opendev.org/707457
Committed:
https://git.openstack.org/cgit/openstack/nova/commit/?id=f83c591e30e5283af3bd6b05b7bd041c83d5c20f
Submitter: Zuul
Branch: master
commit f83c591e30e5283af3bd6b05b7bd041c83d5c20f
Author: Ghanshyam Mann <gm...@ghanshyammann.com>
Date: Wed Feb 12 13:28:40 2020 -0600
Fix os-os-deferred-delete policy to be admin_or_owner
os-deferred-delete restore server API policy is default to
admin_or_owner[1] but API
is allowed for everyone.
We can see the test trying with other project context can access the API
- https://review.opendev.org/#/c/707455/
This is because API does not pass the server project_id in policy target[2]
and if no target is passed then, policy.py add the default targets which is
nothing but context.project_id (allow for everyone who try to access)[3]
This commit fix this policy by passing the server's project_id in policy
target.
Closes-bug: #1863009
[1]
https://github.com/openstack/nova/blob/1fcd74730d343b7cee12a0a50ea537dc4ff87f65/nova/policies/deferred_delete.py#L27
[2]
https://github.com/openstack/nova/blob/1fcd74730d343b7cee12a0a50ea537dc4ff87f65/nova/api/openstack/compute/deferred_delete.py#L38
[3]
https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191
Change-Id: Ib05501b678d0b58bbd9e77cd5d79a9b6ef661497
** Changed in: nova
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1863009
Title:
os-deferred-delete restore server API policy is allowed for everyone
even policy defaults is admin_or_owner
Status in OpenStack Compute (nova):
Fix Released
Bug description:
os-deferred-delete restore server API policy is default to
admin_or_owner[1] but API is allowed for everyone.
We can see the test trying with other project context can access the API
- https://review.opendev.org/#/c/707455/
This is because API does not pass the server project_id in policy target
-
https://github.com/openstack/nova/blob/1fcd74730d343b7cee12a0a50ea537dc4ff87f65/nova/api/openstack/compute/deferred_delete.py#L38
and if no target is passed then, policy.py add the default targets which is
nothing but context.project_id (allow for everyone try to access)
-
https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191
[1]
-
https://github.com/openstack/nova/blob/1fcd74730d343b7cee12a0a50ea537dc4ff87f65/nova/policies/deferred_delete.py#L27
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1863009/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
