[Openstack-security] [openstack/nova] SecurityImpact review request change I6fe512ff00a0fde1c75d49efe8bfa5f3d2d34df6
gerrit2 at review.openstack.org
gerrit2 at review.openstack.org
Thu Jun 18 15:15:37 UTC 2015
Hi, I'd like you to take a look at this patch for potential
SecurityImpact.
https://review.openstack.org/191095
Log:
commit 014e491ed08019bdef930d648f3966706bfd467b
Author: Davanum Srinivas <davanum at gmail.com>
Date: Fri Jun 12 10:26:08 2015 -0400
Allow non-admin to list all tenants based on policy
Currently, running 'nova list --all-tenants' with a policy change:
"compute:get_all_tenants": "role:special_role or is_admin:True"
will not work as expected, The returned list of servers will not
contain all instances of all tenants. We should support administrators
who wish to enable this functionality in their policy.json.
We need to fix this problem both in the v2 API and in the v2.1 as well.
Deep in instance_get_all_by_filters_sort, there is a check which adds
a filter of project_id or user_id if the context is NOT an admin context.
So, the returned list will be a subset of all the instances in the
database. To fix this scenario, the easy way is to call get_all with
an elevated context to pass this check in instance_get_all_by_filters_sort.
So in fixing the bug above, we need to fix the default policy so that
all-tenants is available by default only to administrators.
UpgradeImpact
SecurityImpact
DocImpact: --all-tenants will list all servers for non-admin
APIImpact: --all-tenants will list all servers for non-admin
Implements blueprint allow-ip6-search-for-non-admin
Closes-Bug: #1464381
Change-Id: I6fe512ff00a0fde1c75d49efe8bfa5f3d2d34df6
More information about the Openstack-security
mailing list