Reviewed: https://review.opendev.org/584530 Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=d2cc0dc5663657ae80550954269e19a6a8157501 Submitter: Zuul Branch: master
commit d2cc0dc5663657ae80550954269e19a6a8157501 Author: Rick Bartra <[email protected]> Date: Fri Jul 20 17:42:09 2018 -0400 Add Policy enforcement for several Metadata Definition delete APIs Several Metadata Definition delete APIs do not have RBAC. This patchset add policy enforcment to the following APIs: - `Delete namespace` - `Delete object` - `Remove resource type association` - `Remove property definition` - `Delete tag definition` - `Delete all tag definitions` The following actions are enforce and added to the policy.json: - `delete_metadef_namespace` - `delete_metadef_object` - `remove_metadef_resource_type_association` - `remove_metadef_property` - `delete_metadef_tag` - `delete_metadef_tags` Most other APIs have policy enforcement, so the ones above should as well. Without adding policy enforcement for the above APIs, all roles can peform the delete APIs noted above. Change-Id: I8cd6eb26b0d3401fa4667384c31e4c56d838d42b Closes-Bug: #1782840 Co-Authored-By: [email protected] ** Changed in: glance Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1782840 Title: No policy enforcement for several delete metadef APIs Status in Glance: Fix Released Bug description: There is no policy enforcement for the following APIs: Delete namespace: https://developer.openstack.org/api-ref/image/v2 /metadefs-index.html#delete-namespace Delete object: https://developer.openstack.org/api-ref/image/v2 /metadefs-index.html#delete-object Remove resource type association: https://developer.openstack.org/api- ref/image/v2/metadefs-index.html#remove-resource-type-association Remove property definition: https://developer.openstack.org/api- ref/image/v2/metadefs-index.html#remove-property-definition Delete tag definition: https://developer.openstack.org/api- ref/image/v2/metadefs-index.html#delete-tag-definition Most other APIs have policy enforcement, so the ones above should as well. Without adding policy enforcement for the above APIs, even the least privileged users (i.e. user with reader role) can perform the delete APIs noted above. To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1782840/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
