[nova][dev][ops] can we get rid of 'project_only' in the DB layer?
Matt Riedemann
mriedemos at gmail.com
Tue Feb 19 16:42:32 UTC 2019
On 2/18/2019 8:22 PM, melanie witt wrote:
> Right, that is the proposal in this email. That we should remove
> project_only=True and let the API policy check handle whether or not the
> user from a different project is allowed to get the instance. Otherwise,
> users are not able to use policy to control the behavior because it is
> hard-coded in the database layer.
I think this has always been the long-term goal and I remember a spec
from John about it [1] but having said that, the spec was fairly
complicated (to me at least) and sounds like there would be a fair bit
of auditing of the API code we'd need to do before we can remove the DB
API check, which means it's likely not something we can complete at this
point in Stein.
For example, I think we have a lot of APIs that run the policy check on
the context (project_id and user_id) as the target before even pulling
the resource from the database, and the resource itself should be the
target, right?
[1] https://review.openstack.org/#/c/433037/
--
Thanks,
Matt
More information about the openstack-discuss
mailing list