Reviewed: https://review.opendev.org/717212 Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=00d68257bcae38e42339eb9426e652ca39341191 Submitter: Zuul Branch: master
commit 00d68257bcae38e42339eb9426e652ca39341191 Author: Ghanshyam Mann <gm...@ghanshyammann.com> Date: Fri Apr 3 03:02:59 2020 -0500 Fix server password policy to be admin_or_owner server password API policy is default to admin_or_owner[1] but API is allowed for everyone. We can see the test trying with other project context can access the API - https://review.opendev.org/#/c/717204 This is because API does not pass the server project_id in policy target[2] and if no target is passed then, policy.py add the default targets which is nothing but context.project_id (allow for everyone who try to access)[3] This commit fix this policy by passing the server's project_id in policy target. Closes-bug: #1870488 Partial implement blueprint policy-defaults-refresh [1] https://github.com/openstack/nova/blob/e487b05f7e451af4f29699c3b34d9d2cc1b1205a/nova/policies/server_password.py#L27 [2] https://github.com/openstack/nova/blob/e487b05f7e451af4f29699c3b34d9d2cc1b1205a/nova/api/openstack/compute/server_password.py#L34 [3] https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191 Change-Id: I4cf3fef325b09f1452642f22dc121d2820586a7a ** Changed in: nova Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1870488 Title: server password API policy is allowed for everyone even policy defaults is admin_or_owner Status in OpenStack Compute (nova): Fix Released Bug description: server password API policy is default to admin_or_owner[1] but API is allowed for everyone. We can see the test trying with other project context can access the API - https://review.opendev.org/#/c/717204 This is because API does not pass the server project_id in policy target - https://github.com/openstack/nova/blob/e487b05f7e451af4f29699c3b34d9d2cc1b1205a/nova/api/openstack/compute/server_password.py#L34 and if no target is passed then, policy.py add the default targets which is nothing but context.project_id (allow for everyone try to access) - https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191 [1] - https://github.com/openstack/nova/blob/e487b05f7e451af4f29699c3b34d9d2cc1b1205a/nova/policies/server_password.py#L27 To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1870488/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp