Thanks for the additional context, Alex. I'll close this bug (mark it as invalid).
** Changed in: nova Status: Confirmed => Invalid ** Changed in: nova Assignee: Diana Clarke (diana-clarke) => (unassigned) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1447164 Title: require_admin_context() does not account for policy.json rulesets Status in OpenStack Compute (nova): Invalid Bug description: The API RBAC is done using a policy.json file which allows fine-grained control over each API endpoint by setting specific rules. Consequently, some defaulted admin-only endpoints can be opened by modifying their corresponding policy rules to be for anyone. Unfortunately, in many places (in the DB and at the API level following the blueprint api-policy-v3 ), there is a call to context.require_admin_context() which is just checking if the user is admin or no but doesn't match with the policy rules. As we all agreed with api-policy-v3 that RBAC should be done at the API level, there is no reason to keep that call to context.require_admin_context() and we should assume that policy.json is the single source of truth for knowing the access rights. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1447164/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp