OpenStack Compute (nova)

Compute services (os-services) API not granular enough by policy and code

Bug #1778994 reported by Rick Bartra
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Confirmed
Wishlist
Unassigned

Bug Description

The Nova Compute services (os-services) API is not granular enough in the sense that multiple APIs check the same policy action for list, update, and delete. This does not allow operators with strict security requirements to have different roles that can perform certain APIs but not others - it currently is all or nothing. As it currently stands, listing, updating, and deleting compute services checks the single policy action 'os_compute_api:os-services' - which prevents operators who want read only roles or other sub-admin type roles. To further achieve RBAC granularity, new policy actions should be introduced and checked by the os-services API.

Tags: api
Rick Bartra (rb560u)
Changed in nova:
assignee: nobody → Rick Bartra (rb560u)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/578553

Changed in nova:
status: New → In Progress
Revision history for this message
Ghanshyam Mann (ghanshyammann) wrote :

Thanks. This is applicable for many other APIs also, let's do this as part of this BP- https://blueprints.launchpad.net/nova/+spec/granular-api-policy

tags: added: api
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on nova (master)

Change abandoned by Matt Riedemann (<email address hidden>) on branch: master
Review: https://review.opendev.org/578553
Reason: Unfortunately this is in merge conflict and looks abandoned so I'm going to drop it. It does also look like gmann is handling granular policy as part of blueprint policy-defaults-refresh, see https://review.opendev.org/#/c/648480/.

Matt Riedemann (mriedem)
Changed in nova:
importance: Undecided → Wishlist
status: In Progress → Confirmed
assignee: Rick Bartra (rb560u) → nobody
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.