OpenStack Compute (nova)

Overview
Code
Bugs
Blueprints
Translations
Answers

Bug #1290537
Comment #25

Comment 25 for bug 1290537

Revision history for this message

Andrew Laski (alaski) wrote on 2014-04-03: Re: RBAC policy not enforced when adding a security group rule using EC2 API (CVE-2014-0167)

#25

Christopher: Works for me. I'm happy with a simpler solution for now if everyone agrees. I'll update shortly.
And Tristan, I'll work on a backport but I just wanted to get approval on the direction first.

I added the fine grained controls into the ec2 api because the OpenStack api has fine grained controls as well, they're just enforced at the compute api level. Actually I see now that I should have just added the @wrap_check_security_groups_policy decorator for the compute api methods that the ec2 api uses. But really the ec2 api and OpenStack api have different semantics, and make different calls, so I think it's fine for them to have different policies. That can be handled later in a non security review though.