Reviewed: https://review.opendev.org/717525 Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=88e399c98b2abd3e851b1c1c5124d5f1899d6f19 Submitter: Zuul Branch: master
commit 88e399c98b2abd3e851b1c1c5124d5f1899d6f19 Author: Ghanshyam Mann <[email protected]> Date: Sat Apr 4 23:48:33 2020 -0500 Correct server topology policy check_str server topology API policy is default to admin_or_owner[1] but API is allowed (which is expected) for everyone. This is because API does not pass the project_id in policy target so that oslo policy can decide the ownership[2]. If no target is passed then, policy.py add the default targets which is nothing but context.project_id (allow for everyone try to access) - https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191 Passing the server project_id as target to make it admin_or_owner. [1] https://github.com/openstack/nova/blob/e4ac401d1a9d5fba24bc22141b362a5400d9d096/nova/policies/server_topology.py#L24 [2] https://github.com/openstack/nova/blob/e4ac401d1a9d5fba24bc22141b362a5400d9d096/nova/api/openstack/compute/server_topology.py#L30 Change-Id: I3296e08f16adf95949822bc43c03ef42fed74a4a Closes-bug: #1870872 ** Changed in: nova Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1870872 Title: server topology API policy is allowed for everyone even policy defaults is admin_or_owner Status in OpenStack Compute (nova): Fix Released Bug description: server topology index policy is default to admin_or_owner[1] but API is allowed for everyone. We can see the test trying with other project context can access the API - https://review.opendev.org/#/c/717524/ This is because API does not pass the server project_id in policy target - https://github.com/openstack/nova/blob/e4ac401d1a9d5fba24bc22141b362a5400d9d096/nova/api/openstack/compute/server_topology.py#L30 and if no target is passed then, policy.py add the default targets which is nothing but context.project_id (allow for everyone try to access) - https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191 [1] - https://github.com/openstack/nova/blob/e4ac401d1a9d5fba24bc22141b362a5400d9d096/nova/policies/server_topology.py#L24 To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1870872/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
