[Openstack-operators] Nova 2.1 and user permissions in the policy file

Adam Young ayoung at redhat.com
Mon May 23 15:28:34 UTC 2016


On 05/23/2016 11:02 AM, Sean Dague wrote:
> On 05/23/2016 10:24 AM, Tim Bell wrote:
>>   
>>
>> Quick warning for those who are dependent on the "user_id:%(user_id)s"
>> syntax for limiting actions by user. According to
>> https://bugs.launchpad.net/nova/+bug/1539351, this behavior was
>> apparently not intended according to the bug report feedback. The
>> behavior has changed from v2 to v2.1 and the old syntax no longer works.
v2 to v2.1 of what?

> Well, the behavior changes with the backend code base. By mitaka the
> default backend code for both is the same. And the legacy code base is
> about to be removed.
>
> This feature (policy enforcement by user_id) was 100% untested, which is
> why it never ended up in the new API stack. Being untested setting
> owner: 'user_id: %(user_id)s' might have some really unexpected results
> because not everything has a user_id.
>
>> There can be security implications also so I’d recommend those using
>> this current v2 feature to review the bug to understand the potential
>> impacts as clouds enable v2.1.
> While I understand from the bug report what your use case is now, I'm
> kind of wondering what the shared resources / actions of these 150
> people are in this project. Are they all in the same project for other
> reasons?

My sediments exactly.  In cloud, you should never be looking at a user 
id for policy.  It should be possible to always have more than one user 
perform an action, and enforce policy on the project_id.

The one exception for this is Barbican managing cryptographic secrets 
for a user's Identity.

And yes, I meant to say sediments.  I'm trying to be part of the solution.

>
> 	-Sean
>




More information about the OpenStack-operators mailing list