OpenStack Compute (nova)

non-admin shouldn't get the ['host', 'traceback'] of os-instance-actions's events

Bug #1866292 reported by Brin Zhang on 2020-03-06

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Invalid	Undecided	Unassigned

Bug Description

In https://review.opendev.org/#/c/706470/7 patch, it would like to refresh the os-instance-actions default, the 'os_compute_api:os-instance-actions:events' role will from 'rule:admin_api' to 'rule:system_admin_api', it's right.

In microversion 2.62, 2.58 and 2.51 we checeked the non admin get response, but ['traceback'] (2.58 and 2.51) and ['host', 'traceback'](2.62) just only get by admin role [2].

[1]https://opendev.org/openstack/nova/src/branch/master/nova/tests/functional/api_sample_tests/test_instance_actions.py#L140

[2]https://opendev.org/openstack/nova/src/branch/master/api-guide/source/faults.rst#user-content-server-actions

Bellow error comes from https://review.opendev.org/#/c/706470/7:

temporary link:https://0eb8bf1f49f1b12e44de-fa8c367d29960a6ba7cc5d4b52d5b2a7.ssl.cf1.rackcdn.com/706470/7/check/nova-tox-functional-py36/2d180f3/testr_results.html

Exception info see http://paste.openstack.org/show/790375/

See original description

Brin Zhang (zhangbailin) on 2020-03-06

description:

updated

Brin Zhang (zhangbailin) on 2020-03-06

description:

updated

Revision history for this message

Brin Zhang (zhangbailin) wrote on 2020-03-06:

https://review.opendev.org/#/c/706179/8 what happen is, in my patch where I deprecated wrong policy rule, event policy is deprecated with admin_or_owner and so does non-admin was able to access the traceback of events.

Changed in nova:
status:	New → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.