From f0c0621aa09a6f659e9080313962b99adbb63459 Mon Sep 17 00:00:00 2001 From: Sujitha Date: Thu, 3 Nov 2016 17:16:56 +0000 Subject: [PATCH] Change os-server-tags default policy os-server-tags operations should be limited only to admin or owner of the server. This patch changes the default policy to from ANY to ADMIN_OR_OWNER. This patch doesn't address the actual policy check at the API level. This would be fixed as part of a wider effort. For now, we maintain consistency with other similar APIs. Change-Id: If5f48fad9f040dd08060b4a86858a3b223550956 Closes-Bug: #1581203 --- nova/policies/server_tags.py | 14 +++++++------- nova/tests/unit/test_policy.py | 12 ++++++------ ...ags-default-policy-change-003a244908a67289.yaml | 5 +++++ 3 files changed, 18 insertions(+), 13 deletions(-) create mode 100644 releasenotes/notes/os-server-tags-default-policy-change-003a244908a67289.yaml diff --git a/nova/policies/server_tags.py b/nova/policies/server_tags.py index bbb8e8d0622e..020a9d056368 100644 --- a/nova/policies/server_tags.py +++ b/nova/policies/server_tags.py @@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-server-tags:%s' server_tags_policies = [ base.create_rule_default( POLICY_ROOT % 'delete_all', - base.RULE_ANY, + base.RULE_ADMIN_OR_OWNER, "Delete all the server tags", [ { @@ -34,7 +34,7 @@ server_tags_policies = [ ]), base.create_rule_default( POLICY_ROOT % 'index', - base.RULE_ANY, + base.RULE_ADMIN_OR_OWNER, "List all tags for given server", [ { @@ -44,7 +44,7 @@ server_tags_policies = [ ]), base.create_rule_default( POLICY_ROOT % 'update_all', - base.RULE_ANY, + base.RULE_ADMIN_OR_OWNER, "Replace all tags on specified server with the new set of tags.", [ { @@ -55,7 +55,7 @@ server_tags_policies = [ ]), base.create_rule_default( POLICY_ROOT % 'delete', - base.RULE_ANY, + base.RULE_ADMIN_OR_OWNER, "Delete a single tag from the specified server", [ { @@ -66,7 +66,7 @@ server_tags_policies = [ ), base.create_rule_default( POLICY_ROOT % 'update', - base.RULE_ANY, + base.RULE_ADMIN_OR_OWNER, "Add a single tag to the server if server has no specified tag", [ { @@ -77,7 +77,7 @@ server_tags_policies = [ ), base.create_rule_default( POLICY_ROOT % 'show', - base.RULE_ANY, + base.RULE_ADMIN_OR_OWNER, "Check tag existence on the server.", [ { @@ -88,7 +88,7 @@ server_tags_policies = [ ), policy.RuleDefault( name=POLICY_ROOT % 'discoverable', - check_str=base.RULE_ANY), + check_str=base.RULE_ANY) ] diff --git a/nova/tests/unit/test_policy.py b/nova/tests/unit/test_policy.py index b1c406d221de..52663136ab76 100644 --- a/nova/tests/unit/test_policy.py +++ b/nova/tests/unit/test_policy.py @@ -419,6 +419,12 @@ class RealRolePolicyTestCase(test.NoDBTestCase): "os_compute_api:os-server-password", "os_compute_api:os-server-usage", "os_compute_api:os-server-groups", +"os_compute_api:os-server-tags:delete", +"os_compute_api:os-server-tags:delete_all", +"os_compute_api:os-server-tags:index", +"os_compute_api:os-server-tags:show", +"os_compute_api:os-server-tags:update", +"os_compute_api:os-server-tags:update_all", "os_compute_api:os-server-groups:index", "os_compute_api:os-server-groups:show", "os_compute_api:os-server-groups:create", @@ -503,13 +509,7 @@ class RealRolePolicyTestCase(test.NoDBTestCase): "os_compute_api:os-server-password:discoverable", "os_compute_api:os-server-usage:discoverable", "os_compute_api:os-server-groups:discoverable", -"os_compute_api:os-server-tags:delete", -"os_compute_api:os-server-tags:delete_all", "os_compute_api:os-server-tags:discoverable", -"os_compute_api:os-server-tags:index", -"os_compute_api:os-server-tags:show", -"os_compute_api:os-server-tags:update", -"os_compute_api:os-server-tags:update_all", "os_compute_api:os-services:discoverable", "os_compute_api:server-metadata:discoverable", "os_compute_api:server-migrations:discoverable", diff --git a/releasenotes/notes/os-server-tags-default-policy-change-003a244908a67289.yaml b/releasenotes/notes/os-server-tags-default-policy-change-003a244908a67289.yaml new file mode 100644 index 000000000000..880621bd1417 --- /dev/null +++ b/releasenotes/notes/os-server-tags-default-policy-change-003a244908a67289.yaml @@ -0,0 +1,5 @@ +upgrade: + - The default policy on os-server-tags has been changed from + ``RULE_ANY`` (allow all) to ``RULE_ADMIN_OR_OWNER``. This is because server + tags should only be manipulated on servers owned by the user or admin. This + doesn't have any affect on how the API works.