diff --git a/nova/policies/server_tags.py b/nova/policies/server_tags.py index bbb8e8d0622e..020a9d056368 100644 --- a/nova/policies/server_tags.py +++ b/nova/policies/server_tags.py @@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-server-tags:%s' server_tags_policies = [ base.create_rule_default( POLICY_ROOT % 'delete_all', - base.RULE_ANY, + base.RULE_ADMIN_OR_OWNER, "Delete all the server tags", [ { @@ -34,7 +34,7 @@ server_tags_policies = [ ]), base.create_rule_default( POLICY_ROOT % 'index', - base.RULE_ANY, + base.RULE_ADMIN_OR_OWNER, "List all tags for given server", [ { @@ -44,7 +44,7 @@ server_tags_policies = [ ]), base.create_rule_default( POLICY_ROOT % 'update_all', - base.RULE_ANY, + base.RULE_ADMIN_OR_OWNER, "Replace all tags on specified server with the new set of tags.", [ { @@ -55,7 +55,7 @@ server_tags_policies = [ ]), base.create_rule_default( POLICY_ROOT % 'delete', - base.RULE_ANY, + base.RULE_ADMIN_OR_OWNER, "Delete a single tag from the specified server", [ { @@ -66,7 +66,7 @@ server_tags_policies = [ ), base.create_rule_default( POLICY_ROOT % 'update', - base.RULE_ANY, + base.RULE_ADMIN_OR_OWNER, "Add a single tag to the server if server has no specified tag", [ { @@ -77,7 +77,7 @@ server_tags_policies = [ ), base.create_rule_default( POLICY_ROOT % 'show', - base.RULE_ANY, + base.RULE_ADMIN_OR_OWNER, "Check tag existence on the server.", [ { @@ -88,7 +88,7 @@ server_tags_policies = [ ), policy.RuleDefault( name=POLICY_ROOT % 'discoverable', - check_str=base.RULE_ANY), + check_str=base.RULE_ANY) ] diff --git a/nova/tests/unit/test_policy.py b/nova/tests/unit/test_policy.py index 11626da3f5e7..0080f9eeb96c 100644 --- a/nova/tests/unit/test_policy.py +++ b/nova/tests/unit/test_policy.py @@ -418,6 +418,12 @@ class RealRolePolicyTestCase(test.NoDBTestCase): "os_compute_api:os-server-password", "os_compute_api:os-server-usage", "os_compute_api:os-server-groups", +"os_compute_api:os-server-tags:delete", +"os_compute_api:os-server-tags:delete_all", +"os_compute_api:os-server-tags:index", +"os_compute_api:os-server-tags:show", +"os_compute_api:os-server-tags:update", +"os_compute_api:os-server-tags:update_all", "os_compute_api:os-server-groups:index", "os_compute_api:os-server-groups:show", "os_compute_api:os-server-groups:create", @@ -502,13 +508,7 @@ class RealRolePolicyTestCase(test.NoDBTestCase): "os_compute_api:os-server-password:discoverable", "os_compute_api:os-server-usage:discoverable", "os_compute_api:os-server-groups:discoverable", -"os_compute_api:os-server-tags:delete", -"os_compute_api:os-server-tags:delete_all", "os_compute_api:os-server-tags:discoverable", -"os_compute_api:os-server-tags:index", -"os_compute_api:os-server-tags:show", -"os_compute_api:os-server-tags:update", -"os_compute_api:os-server-tags:update_all", "os_compute_api:os-services:discoverable", "os_compute_api:server-metadata:discoverable", "os_compute_api:server-migrations:discoverable", diff --git a/releasenotes/notes/os-server-tags-default-policy-change-003a244908a67289.yaml b/releasenotes/notes/os-server-tags-default-policy-change-003a244908a67289.yaml new file mode 100644 index 000000000000..880621bd1417 --- /dev/null +++ b/releasenotes/notes/os-server-tags-default-policy-change-003a244908a67289.yaml @@ -0,0 +1,5 @@ +upgrade: + - The default policy on os-server-tags has been changed from + ``RULE_ANY`` (allow all) to ``RULE_ADMIN_OR_OWNER``. This is because server + tags should only be manipulated on servers owned by the user or admin. This + doesn't have any affect on how the API works.