openstack
/
cinder
Code Issues Proposed changes
cinder/cinder
History
TommyLike 76d3c644f3
Add missing 'target_obj' when perform policy check 
Generally, we have to pass target object to ``authorize``
when enforce policy check,  but this is ignored during
our develop and review process for a long time, and the
potential issue is anyone can handle the target resource
as ``authorize`` will always succeed if rule is defined
``admin_or_owner`` [1]. Luckily, for most of those APIs
this security concern is protected by our database access
code [2] that only project scope resource is allowed.

However, there is one API that do have security issue when
administrator change the rule into "admin_or_owner".

1. "volume reset_status", which cinder will update the
resource directly in the database, procedure to reproduce
bug is described on the launchpad.

This patch intends to correct most of cases which can be
easily figured out in case of future code changes.

[1]: http://git.openstack.org/cgit/openstack/cinder/tree/cinder/context.py?id=73e6e3c147fc357031834d0ac28478d061e6120c#n206
[2]: http://git.openstack.org/cgit/openstack/cinder/tree/cinder/db/sqlalchemy/api.py?id=73e6e3c147fc357031834d0ac28478d061e6120c#n3058
[3]: http://git.openstack.org/cgit/openstack/cinder/tree/cinder/api/contrib/admin_actions.py?id=73e6e3c147fc357031834d0ac28478d061e6120c#n161

Conflicts:
    cinder/api/contrib/volume_image_metadata.py

Partial-Bug: #1714858
Change-Id: I351b3ddf8dfe29da8d854d4038d64ca7be17390f
(cherry picked from commit 7391070474)
Signed-off-by: Sean McGinnis <sean.mcginnis@gmail.com>
 		2018-08-20 10:46:17 -05:00
..
api Add missing 'target_obj' when perform policy check 2018-08-20 10:46:17 -05:00
backup Add missing 'target_obj' when perform policy check 2018-08-20 10:46:17 -05:00
brick Merge "Fixes creation of mirrored volumes due to wrong type" 2017-12-16 02:30:28 +00:00
cmd Avoid second restart on offline upgrades 2018-04-18 06:51:34 +00:00
common Remove deprecated 'pybasedir' config option 2017-12-16 16:30:06 +00:00
compute Add service_token for cinder-nova interaction 2017-12-15 12:04:23 +05:30
consistencygroup Remove consistencygroups/api.py 2018-01-26 17:59:27 -05:00
db Fix how backups handle encryption key IDs 2018-01-30 22:12:49 +00:00
group Add missing 'target_obj' when perform policy check 2018-08-20 10:46:17 -05:00
hacking Add contributor doc on assertEqual vs assertFalse 2017-08-30 17:50:02 +00:00
image Fix handling of 'cinder_encryption_key_id' image metadata 2018-05-31 00:41:28 +00:00
interface Handle deprecation of inspect.getargspec 2017-11-21 12:57:05 -06:00
keymgr Handle migrating encryption key IDs in Backup table 2018-04-04 19:34:16 +00:00
locale Imported Translations from Zanata 2018-08-14 07:32:15 +00:00
message Disallow unmanaging encrypted volumes 2017-11-29 10:43:32 -05:00
objects Handle migrating encryption key IDs in Backup table 2018-04-04 19:34:16 +00:00
policies Add policy check for complete attachment API action 2018-01-24 15:48:22 +00:00
scheduler GoodnessWeigher schedules non-type volumes 2018-06-13 00:02:00 +00:00
tests Add missing 'target_obj' when perform policy check 2018-08-20 10:46:17 -05:00
transfer Add missing 'target_obj' when perform policy check 2018-08-20 10:46:17 -05:00
volume Add missing 'target_obj' when perform policy check 2018-08-20 10:46:17 -05:00
wsgi Initialize osprofiler in WSGI application 2018-01-09 14:06:34 +01:00
zonemanager Support fabric specific Cisco FC Zone Name 2018-01-25 21:14:04 -08:00
__init__.py Set EVENTLET_NO_GREENDNS for IPv6 and dnspython compat 2016-11-11 13:19:07 -06:00
context.py Add Keystone v3 domain information to context 2018-04-25 18:12:14 +00:00
coordination.py Remove deprecated heartbeat options 2017-10-03 14:41:18 -05:00
exception.py Make CinderException format errors fatal for tests 2018-02-06 21:17:17 +00:00
flow_utils.py Fix logging traceback in service logs 2016-12-20 12:39:07 +05:30
i18n.py Replace http with https for doc links in cinder 2017-10-17 11:14:01 +08:00
manager.py Allow configuring tpool size 2018-03-13 13:13:20 +01:00
opts.py Rename 'WindowsDriver' to 'WindowsISCSIDriver' 2018-01-19 14:10:03 +02:00
policy.py Add cg policies and clean up old policy handling 2017-12-04 10:07:54 +08:00
quota.py Periodic task to clean expired reservation 2017-05-30 22:21:38 +08:00
quota_utils.py Add Generic Volume Group Into Quota Management 2017-05-26 01:43:23 +00:00
rpc.py Remove deprecated oslo_messaging.get_transport 2017-06-13 14:25:38 +07:00
service.py Log config options with oslo.config 2018-02-23 01:05:23 +00:00
service_auth.py Add service_token for cinder-nova interaction 2017-12-15 12:04:23 +05:30
ssh_utils.py Change ssh_utils parameter to correctly sends keepalive packets 2017-12-12 14:46:29 +09:00
test.py Allow configuring tpool size 2018-03-13 13:13:20 +01:00
utils.py Merge "Handle TZ change in iso8601 >=0.1.12" 2018-01-31 02:17:25 +00:00
version.py