[Openstack-security] [Bug 1187104] Re: Implement policy check for object ownership
Andrew Laski
andrew.laski at rackspace.com
Fri Jun 14 17:59:43 UTC 2013
** Changed in: nova
Importance: Undecided => Wishlist
** Changed in: nova
Status: New => Invalid
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1187104
Title:
Implement policy check for object ownership
Status in OpenStack Compute (Nova):
Invalid
Bug description:
As far as I can tell, there is no policy check for resource ownership.
The current policy checks support: all, none, role-membership, and tenant-membership. This means that the most minimal policy for an action, e.g. "compute:delete" is "role:Name and tenant_id:%(tenant_id)s".
This role would allows any member of a project to delete any instance, which is a problem!
We need something like:
"owns:%(resource_id)" which checks the "user_id" field associated with the resource?
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1187104/+subscriptions
More information about the Openstack-security
mailing list