Open Stack

You are correct that there is no 'owns' check, but the policy engine
does support checking against arbitrary fields in a 'target'.  In a
lot(most?) of those checks that occur in the compute/api.py layer, vs
the wsgi layer, the target is an instance dict so something like
user_id:%(user_id)s would work.  Now, that's not universally true so
there may be specific checks that could use a more robust target to
check against, and I would suggest opening bugs for specific checks in
that case.  So I marked this as invalid because I think it's a bit
general and is somewhat supported.  But please open reports for specific
policy checks that are too limiting.

If you're interested in expanding the policy engine capabilities to
support an owns resource that would fall under a blueprint rather than a
bug report.

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1187104

Title:
  Implement policy check for object ownership

Status in OpenStack Compute (Nova):
  Invalid

Bug description:
  As far as I can tell, there is no policy check for resource ownership.

  The current policy checks support: all, none, role-membership, and tenant-membership. This means that the most minimal policy for an action, e.g. "compute:delete" is "role:Name and tenant_id:%(tenant_id)s".
  This role would allows any member of a project to delete any instance, which is a problem!

  We need something like:
  "owns:%(resource_id)" which checks the "user_id" field associated with the resource?

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1187104/+subscriptions