openstack
/
cinder
Code Issues Proposed changes
cinder/cinder/api/v3
History
TommyLike 76d3c644f3
Add missing 'target_obj' when perform policy check 
Generally, we have to pass target object to ``authorize``
when enforce policy check,  but this is ignored during
our develop and review process for a long time, and the
potential issue is anyone can handle the target resource
as ``authorize`` will always succeed if rule is defined
``admin_or_owner`` [1]. Luckily, for most of those APIs
this security concern is protected by our database access
code [2] that only project scope resource is allowed.

However, there is one API that do have security issue when
administrator change the rule into "admin_or_owner".

1. "volume reset_status", which cinder will update the
resource directly in the database, procedure to reproduce
bug is described on the launchpad.

This patch intends to correct most of cases which can be
easily figured out in case of future code changes.

[1]: http://git.openstack.org/cgit/openstack/cinder/tree/cinder/context.py?id=73e6e3c147fc357031834d0ac28478d061e6120c#n206
[2]: http://git.openstack.org/cgit/openstack/cinder/tree/cinder/db/sqlalchemy/api.py?id=73e6e3c147fc357031834d0ac28478d061e6120c#n3058
[3]: http://git.openstack.org/cgit/openstack/cinder/tree/cinder/api/contrib/admin_actions.py?id=73e6e3c147fc357031834d0ac28478d061e6120c#n161

Conflicts:
    cinder/api/contrib/volume_image_metadata.py

Partial-Bug: #1714858
Change-Id: I351b3ddf8dfe29da8d854d4038d64ca7be17390f
(cherry picked from commit 7391070474)
Signed-off-by: Sean McGinnis <sean.mcginnis@gmail.com>
 		2018-08-20 10:46:17 -05:00
..
views Add shared_targets and service_uuid to volumes 2017-12-01 18:26:21 +00:00
__init__.py cinder-api-microversions code 2016-02-24 06:50:54 -07:00
attachments.py Add policy check for complete attachment API action 2018-01-24 15:48:22 +00:00
backups.py Remove leading and trailing spaces from parameters 2018-01-17 11:45:34 +05:30
clusters.py Use constants for cinder-volume 2017-12-29 09:05:08 +08:00
consistencygroups.py Add cg policies and clean up old policy handling 2017-12-04 10:07:54 +08:00
group_snapshots.py V3 jsonschema validation: Group Snapshots 2017-12-20 18:54:24 +05:30
group_specs.py V3 jsonschema validation: Group type specs 2017-12-12 14:48:42 +05:30
group_types.py Fix combination of parameters for update APIs 2018-01-18 14:19:13 +05:30
groups.py Remove API check is_valid_body 2017-10-10 00:53:07 +00:00
limits.py Use constants for microversion values 2017-09-22 08:15:56 -05:00
messages.py Add missing 'target_obj' when perform policy check 2018-08-20 10:46:17 -05:00
resource_common_manage.py Use constants for microversion values 2017-09-22 08:15:56 -05:00
resource_filters.py Use constants for microversion values 2017-09-22 08:15:56 -05:00
router.py Add project_id admin filter to limits API 2017-06-18 18:15:35 +08:00
snapshot_manage.py V2/V3 json schema validation: snapshot manage 2018-01-02 09:52:42 +05:30
snapshots.py Fix 'KeyError' when 'with_count' is not specified 2017-11-28 00:59:44 +00:00
volume_manage.py Use constants for microversion values 2017-09-22 08:15:56 -05:00
volume_metadata.py V3 jsonschema validation: Volume metadata 2017-12-08 12:40:01 +05:30
volumes.py Add missing 'target_obj' when perform policy check 2018-08-20 10:46:17 -05:00
workers.py Update document for worker cleanup API 2018-02-02 13:32:34 +00:00