[ops][cinder] notice of incorrect default policy value

Brian Rosmaita rosmaita.fossdev at gmail.com
Wed Dec 16 19:29:36 UTC 2020

Hello operators,

While reviewing Cinder policies recently, Bug #1908315 [0] was 
discovered: "Policy group:reset_group_snapshot_status has incorrect 

This policy governs the "Reset a snapshot's status" action [1].  The 
action is supposed to be admin-only, but the default policy setting is 

This is not a security issue, but it does allow an end user to put a 
group snapshot that they own into an invalid status, with indeterminate 

A fix has been posted for review [2], but if you wish to correct this 
immediately, you can put the following line into your cinder policy file:

   "group:reset_group_snapshot_status": "rule:admin_api"

More information about the cinder policy file can be found at [3].

[0] https://bugs.launchpad.net/cinder/+bug/1908315
[2] https://review.opendev.org/c/openstack/cinder/+/767226

More information about the openstack-discuss mailing list