Please note the correction below. Apologies for any confusion. On 12/16/20 2:29 PM, Brian Rosmaita wrote: > Hello operators, > > While reviewing Cinder policies recently, Bug #1908315 [0] was > discovered: "Policy group:reset_group_snapshot_status has incorrect > checkstring". > > This policy governs the "Reset a snapshot's status" action [1]. The > action is supposed to be admin-only, but the default policy setting is > admin-or-owner. Correction: the API action governed is (of course, given the policy name) "Reset group snapshot status": https://docs.openstack.org/api-ref/block-storage/v3/#reset-group-snapshot-status > > This is not a security issue, but it does allow an end user to put a > group snapshot that they own into an invalid status, with indeterminate > consequences. > > A fix has been posted for review [2], but if you wish to correct this > immediately, you can put the following line into your cinder policy file: > > "group:reset_group_snapshot_status": "rule:admin_api" > > More information about the cinder policy file can be found at [3]. > > > [0] https://bugs.launchpad.net/cinder/+bug/1908315 > [1] > https://docs.openstack.org/api-ref/block-storage/v3/#reset-a-snapshot-s-status > > [2] https://review.opendev.org/c/openstack/cinder/+/767226 > [3] > https://docs.openstack.org/cinder/latest/configuration/block-storage/samples/policy.yaml.html >