[Openstack-security] [openstack/nova] SecurityImpact review request change I02da6cc8c766e5f43689449ef63121122f537b5b

gerrit2 at review.openstack.org gerrit2 at review.openstack.org
Fri Jul 3 06:16:30 UTC 2015


Hi, I'd like you to take a look at this patch for potential
SecurityImpact.
https://review.openstack.org/160205

Log:
commit eb40429b44f01ed6fed9e52ed4b84f96e8332d8f
Author: He Jie Xu <hejie.xu at intel.com>
Date:   Mon Mar 2 08:08:44 2015 +0800

    Remove db layer hard-code permission checks for quota_class_get_all_by_name
    
    This patch removes the hard-code permission checks for db call
    quota_class_get_all_by_name.
    
    For v2 api, there already have same hard-code permission checks in REST API
    layer, so it is back-compatible.
    
    For v2.1 api, to distinguish show and update permission, this patch adds
    new rule for show method.
    
    Partially implements bp nova-api-policy-final-part
    
    SecurityImpact
    UpgradeImpact: Due to the db layer permission checks deleted, they need
    default policy rule instead of that. In this patch,
    "os_compute_api:os-quota-class-sets:show" was updated with a default
    rule. Admin will be notfied to update their policy configure file to keep
    the behavior as before.
    
    Change-Id: I02da6cc8c766e5f43689449ef63121122f537b5b





More information about the Openstack-security mailing list