Reviewed: https://review.opendev.org/706683 Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=b8c2de86ed46caf7768027e82519c2418989c36b Submitter: Zuul Branch: master
commit b8c2de86ed46caf7768027e82519c2418989c36b Author: Ghanshyam Mann <[email protected]> Date: Sat Feb 8 17:45:12 2020 -0600 Correct os-availability-zone policy check_str os-availability-zone API policy is default to admin_or_owner[1] but API is allowed for everyone. This is because API does not pass the project_id in policy target so that oslo policy can decide the ownership[2]. If no target is passed then, policy.py add the default targets which is nothing but context.project_id (allow for everyone try to access) - https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191 AZ is user facing thing so that any user can list the AZ and use the same for creating server. Code is behaving as expected but policy rule check_str is confusing so let's correct it to base.RULE_ANY. [1] https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policies/attach_interfaces.py#L28 [2] https://github.com/openstack/nova/blob/1fcd74730d343b7cee12a0a50ea537dc4ff87f65/nova/api/openstack/compute/availability_zone.py#L111 [3] https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191 Closes-bug: #1862484 Change-Id: If599a984a33081a93514b1a2ea02c0d5b850da8e ** Changed in: nova Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1862484 Title: GET os-availability-zone API policy is allowed for everyone even policy defaults is admin_or_owner Status in OpenStack Compute (nova): Fix Released Bug description: os-availability-zone API policy is default to admin_or_owner[1] but API is allowed for everyone. This is because API does not pass the project_id in policy target so that oslo policy can decide the ownership. https://github.com/openstack/nova/blob/1fcd74730d343b7cee12a0a50ea537dc4ff87f65/nova/api/openstack/compute/availability_zone.py#L111 and if no target is passed then, policy.py add the default targets which is nothing but context.project_id (allow for everyone try to access) - https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191 We need to default the GET /os-availability-zone policy same as GET details /os-availability-zone which is admin. [1] - https://github.com/openstack/nova/blob/1fcd74730d343b7cee12a0a50ea537dc4ff87f65/nova/policies/availability_zone.py#L27 To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1862484/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
