Public bug reported: Nova compute services use the privsep library [1] for specific 'root' privilege usage for a command or a direct call to the system.
Unfortunately, our current usage we do from this library is not really a good recommendation : instead of using a sysadmin context that uses *all* privileged caps for any caller we have [2], we should rather define a per-call context with specific caps. [1] https://docs.openstack.org/oslo.privsep/latest/user/index.html [2] https://github.com/openstack/nova/blob/c97507dfcd57cce9d76670d3b0d48538900c00e9/nova/privsep/__init__.py#L21-L31 ** Affects: nova Importance: Wishlist Status: Triaged ** Tags: low-hanging-fruit rfe -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1996213 Title: [rfe] modify our usage of privsep in nova Status in OpenStack Compute (nova): Triaged Bug description: Nova compute services use the privsep library [1] for specific 'root' privilege usage for a command or a direct call to the system. Unfortunately, our current usage we do from this library is not really a good recommendation : instead of using a sysadmin context that uses *all* privileged caps for any caller we have [2], we should rather define a per-call context with specific caps. [1] https://docs.openstack.org/oslo.privsep/latest/user/index.html [2] https://github.com/openstack/nova/blob/c97507dfcd57cce9d76670d3b0d48538900c00e9/nova/privsep/__init__.py#L21-L31 To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1996213/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
