[Openstack-security] [Bug 1187104] Re: Implement policy check for object ownership
Scott Devoid
devoid at anl.gov
Mon Jun 17 18:09:43 UTC 2013
That's reasonable. A few clarification questions; please forgive me if
these are dumb, but I'm new to OS.
1. Where is the separation between 'wsgi' and compute/api.py layers?
2. From what I can tell, to get the
"openstack.common.policy.GenericCheck" to have an "ownership" check,
we'd need to add "owner_id" to the target and make sure "user_id" was in
the credentials? "user_id:%(user_id)s" should always return true since
target["user_id"] is the user in the credential?
3. Is there someone who has detailed knowledge of the policy stuff?
Looking over the code, I'm going to have trouble landing anything
without a lay-of-the-land.
4. Would expansions to the policy engine fall under the oslo project?
How are changes to both oslo and nova gated? I can already see that
nova.policy calls openstack.common.policy.check but in oslo-incubator
that function no longer exists.
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1187104
Title:
Implement policy check for object ownership
Status in OpenStack Compute (Nova):
Invalid
Bug description:
As far as I can tell, there is no policy check for resource ownership.
The current policy checks support: all, none, role-membership, and tenant-membership. This means that the most minimal policy for an action, e.g. "compute:delete" is "role:Name and tenant_id:%(tenant_id)s".
This role would allows any member of a project to delete any instance, which is a problem!
We need something like:
"owns:%(resource_id)" which checks the "user_id" field associated with the resource?
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1187104/+subscriptions
More information about the Openstack-security
mailing list