Please note the correction below. Apologies for any confusion. On 12/16/20 2:29 PM, Brian Rosmaita wrote:
Hello operators,
While reviewing Cinder policies recently, Bug #1908315 [0] was discovered: "Policy group:reset_group_snapshot_status has incorrect checkstring".
This policy governs the "Reset a snapshot's status" action [1]. The action is supposed to be admin-only, but the default policy setting is admin-or-owner.
Correction: the API action governed is (of course, given the policy name) "Reset group snapshot status": https://docs.openstack.org/api-ref/block-storage/v3/#reset-group-snapshot-st...
This is not a security issue, but it does allow an end user to put a group snapshot that they own into an invalid status, with indeterminate consequences.
A fix has been posted for review [2], but if you wish to correct this immediately, you can put the following line into your cinder policy file:
"group:reset_group_snapshot_status": "rule:admin_api"
More information about the cinder policy file can be found at [3].
[0] https://bugs.launchpad.net/cinder/+bug/1908315 [1] https://docs.openstack.org/api-ref/block-storage/v3/#reset-a-snapshot-s-stat...
[2] https://review.opendev.org/c/openstack/cinder/+/767226 [3] https://docs.openstack.org/cinder/latest/configuration/block-storage/samples...