[Openstack-security] [Bug 1187104] [NEW] Implement policy check for object ownership
Scott Devoid
devoid at anl.gov
Mon Jun 3 19:26:40 UTC 2013
Public bug reported:
As far as I can tell, there is no policy check for resource ownership.
The current policy checks support: all, none, role-membership, and tenant-membership. This means that the most minimal policy for an action, e.g. "compute:delete" is "role:Name and tenant_id:%(tenant_id)s".
This role would allows any member of a project to delete any instance, which is a problem!
We need something like:
"owns:%(resource_id)" which checks the "user_id" field associated with the resource?
** Affects: nova
Importance: Undecided
Status: New
** Tags: ops security
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1187104
Title:
Implement policy check for object ownership
Status in OpenStack Compute (Nova):
New
Bug description:
As far as I can tell, there is no policy check for resource ownership.
The current policy checks support: all, none, role-membership, and tenant-membership. This means that the most minimal policy for an action, e.g. "compute:delete" is "role:Name and tenant_id:%(tenant_id)s".
This role would allows any member of a project to delete any instance, which is a problem!
We need something like:
"owns:%(resource_id)" which checks the "user_id" field associated with the resource?
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1187104/+subscriptions
More information about the Openstack-security
mailing list