Volume transfers: Remove duplicate policy check

There is an initial policy check in the transfers accept API[1] which validates correctly if the user is authorized to perform the operation or not. However, we've a duplicate check in the volume API layer which passes a target object (volume) while authorizing which is wrong for this API. While authorizing, we enforce check on the project id of the target object i.e. volume in this case which, before the transfer operation is completed, contains the project id of source project hence making the validation wrong. In the case of transfers API, any project is able to accept the transfer given they've the auth key required to secure the transfer accept So this patch removes the duplicate policy check. [1] https://opendev.org/openstack/cinder/src/branch/master/cinder/transfer/api.py#L225 Closes-Bug: #1950474 Change-Id: I3930bff90df835d9d8bbf7e6e91458db7e5654be
2022-01-11 04:56:51 -05:00 · 2022-01-11 04:56:51 -05:00 · 7ba9935a6e
commit 7ba9935a6e
parent c88c5074a6
2 changed files with 7 additions and 3 deletions
--- a/cinder/volume/api.py
+++ b/cinder/volume/api.py
@ -53,7 +53,6 @@ from cinder.policies import snapshot_metadata as s_meta_policy
 from cinder.policies import snapshots as snapshot_policy
 from cinder.policies import volume_actions as vol_action_policy
 from cinder.policies import volume_metadata as vol_meta_policy
-from cinder.policies import volume_transfer as vol_transfer_policy
 from cinder.policies import volumes as vol_policy
 from cinder import quota
 from cinder import quota_utils
@ -913,8 +912,6 @@ class API(base.Base):
                        new_user: str,
                        new_project: str,
                        no_snapshots: bool = False) -> dict:
-        context.authorize(vol_transfer_policy.ACCEPT_POLICY,
-                          target_obj=volume)
        if volume['status'] == 'maintenance':
            LOG.info('Unable to accept transfer for volume, '
                     'because it is in maintenance.', resource=volume)
--- a/releasenotes/notes/fix-transfer-accept-policy-7594806372b14284.yaml
+++ b/releasenotes/notes/fix-transfer-accept-policy-7594806372b14284.yaml
@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    `Bug #1950474 <https://bugs.launchpad.net/cinder/+bug/1950474>`_: Fixed
+    policy authorization for transfer accept API. Previously, setting
+    ``enforce_new_defaults=True`` in oslo_policy section would break the
+    transfer accept API which is fixed in this release.