_add_tenant_access silently ignores 403
Bug #1854053 reported by
Surya Seetharaman
This bug affects 2 people
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Compute (nova) |
In Progress
|
Undecided
|
Harshavardhan Metla | ||
Bug Description
Running openstack flavor set from a project in which a user has an admin role (but the project is not an admin project) allows the provided project to be mapped to the flavor even if the permissions are insufficient for the user to verify the project provided i.e the generated 403 is ignored by nova silently at this point in code: https:/
Revision history for this message
| Matt Riedemann (mriedem) wrote | #1 |
Revision history for this message
| Matt Riedemann (mriedem) wrote | #2 |
| Changed in nova: | |
| status: | New → Triaged |
| Changed in nova: | |
| assignee: | nobody → Harshavardhan Metla (harsha24) |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix proposed to nova (master) | #3 |
| Changed in nova: | |
| status: | Triaged → In Progress |
To post a comment you must log in.
Doesn't this just mean the keystone service user auth configured in nova doesn't have enough permissions to know if the given project exists?
https:/
So can't you do something about the configurable service user auth / permissions so nova *can* determine if he project exists?