[Yahoo-eng-team] [Bug 1445335] Re: create/delete flavor permissions should be controlled by policy.json
You've switched the status of this bug to indicate an exploitable security vulnerability. Can you please clarify the conditions under which this bug can be exploited by a malicious actor, and the extent of the impact it implies? ** Also affects: ossa Importance: Undecided Status: New ** Changed in: ossa Status: New => Incomplete -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1445335 Title: create/delete flavor permissions should be controlled by policy.json Status in OpenStack Compute (Nova): Confirmed Status in OpenStack Security Advisories: Incomplete Bug description: The create/delete flavor rest api always expects the user to be of admin privileges and ignores the rule defined in the nova/policy.json. This behavior is observed after these changes >> https://review.openstack.org/#/c/150352/. The expected behavior is that the permissions are controlled as per the rule defined in the policy file and should not mandate that only an admin should be able to create/delete a flavor To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1445335/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1445335] Re: create/delete flavor permissions should be controlled by policy.json
Yes, this isn't cause security vulnerability. We just add hard- permission checks in the v2 API, that make the flavor api is unconfiguable by policy.json. We just need remove the hard-code permission checks. ** Changed in: ossa Status: Incomplete => Invalid ** Tags removed: security -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1445335 Title: create/delete flavor permissions should be controlled by policy.json Status in OpenStack Compute (Nova): In Progress Status in OpenStack Security Advisories: Invalid Bug description: The create/delete flavor rest api always expects the user to be of admin privileges and ignores the rule defined in the nova/policy.json. This behavior is observed after these changes >> https://review.openstack.org/#/c/150352/. The expected behavior is that the permissions are controlled as per the rule defined in the policy file and should not mandate that only an admin should be able to create/delete a flavor To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1445335/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1445335] Re: create/delete flavor permissions should be controlled by policy.json
** Also affects: nova/kilo Importance: Undecided Status: New ** Changed in: nova/kilo Status: New => In Progress ** Changed in: nova/kilo Importance: Undecided => High ** Changed in: nova/kilo Milestone: None => kilo-rc2 -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1445335 Title: create/delete flavor permissions should be controlled by policy.json Status in OpenStack Compute (Nova): Fix Committed Status in OpenStack Compute (nova) kilo series: In Progress Status in OpenStack Security Advisories: Invalid Bug description: The create/delete flavor rest api always expects the user to be of admin privileges and ignores the rule defined in the nova/policy.json. This behavior is observed after these changes >> https://review.openstack.org/#/c/150352/. The expected behavior is that the permissions are controlled as per the rule defined in the policy file and should not mandate that only an admin should be able to create/delete a flavor To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1445335/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1445335] Re: create/delete flavor permissions should be controlled by policy.json
** Changed in: nova/kilo Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1445335 Title: create/delete flavor permissions should be controlled by policy.json Status in OpenStack Compute (Nova): Fix Committed Status in OpenStack Compute (nova) kilo series: Fix Released Status in OpenStack Security Advisories: Invalid Bug description: The create/delete flavor rest api always expects the user to be of admin privileges and ignores the rule defined in the nova/policy.json. This behavior is observed after these changes >> https://review.openstack.org/#/c/150352/. The expected behavior is that the permissions are controlled as per the rule defined in the policy file and should not mandate that only an admin should be able to create/delete a flavor To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1445335/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1445335] Re: create/delete flavor permissions should be controlled by policy.json
** Changed in: nova Status: Fix Committed => Fix Released ** Changed in: nova Milestone: None => liberty-1 -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1445335 Title: create/delete flavor permissions should be controlled by policy.json Status in OpenStack Compute (Nova): Fix Released Status in OpenStack Compute (nova) kilo series: Fix Released Status in OpenStack Security Advisories: Invalid Bug description: The create/delete flavor rest api always expects the user to be of admin privileges and ignores the rule defined in the nova/policy.json. This behavior is observed after these changes >> https://review.openstack.org/#/c/150352/. The expected behavior is that the permissions are controlled as per the rule defined in the policy file and should not mandate that only an admin should be able to create/delete a flavor To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1445335/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
