_add_tenant_access silently ignores 403

Bug #1854053 reported by Surya Seetharaman
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
In Progress
Harshavardhan Metla

Bug Description

Running openstack flavor set from a project in which a user has an admin role (but the project is not an admin project) allows the provided project to be mapped to the flavor even if the permissions are insufficient for the user to verify the project provided i.e the generated 403 is ignored by nova silently at this point in code: https://github.com/openstack/nova/blob/d621914442855ce67ce0b99003f7e69e8ee515e6/nova/api/openstack/identity.py#L61. This can in turn allow random projects to be mapped to flavors.

Tags: api
Revision history for this message
Matt Riedemann (mriedem) wrote :

Doesn't this just mean the keystone service user auth configured in nova doesn't have enough permissions to know if the given project exists?


So can't you do something about the configurable service user auth / permissions so nova *can* determine if he project exists?

Revision history for this message
Matt Riedemann (mriedem) wrote :
Matt Riedemann (mriedem)
Changed in nova:
status: New → Triaged
Changed in nova:
assignee: nobody → Harshavardhan Metla (harsha24)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.opendev.org/735068

Changed in nova:
status: Triaged → In Progress
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.