[api-sig][neutron] Question on oslo policy assertion when supplied attribute equals the default

Slawek Kaplonski skaplons at redhat.com
Tue Apr 23 07:14:00 UTC 2019


On Mon, Apr 22, 2019 at 04:05:48PM -0500, Eric Fried wrote:
> > this change might give a lower privileged user (eg a user who cannot
> > specify "ha") the ability to sniff around for the defaults,
> This was the only thing I could think of.
> > but i'm
> > not sure if that information represents a security risk in this case.
> Because they could also find that out by looking at the source code?

But in some corner case it might be even patched and defaults can be different
in some specific cloud.
Maybe for such case we can make this new behaviour configurable? So there would
be some config option which operator can use to disable accepting default values
for forbidden parameters.

> efried
> .

Slawek Kaplonski
Senior software engineer
Red Hat

More information about the openstack-discuss mailing list