From f6d256cf1fdc6d4d98b33cf511efa8cf2e71f2f4 Mon Sep 17 00:00:00 2001 From: Brian Rosmaita Date: Tue, 15 Dec 2020 17:20:22 -0500 Subject: [PATCH] Correct group:reset_group_snapshot_status policy The default value for the group:reset_group_snapshot_status policy, which governs the Block Storage API call "Reset group snapshot status"[0], was changed to admin-or-owner during refactoring for the policy-in-code initiative in Queens [1]. Consensus at the Wallaby R-18 mid-cycle was that this change was a mistake that should be corrected [2]. [0] https://docs.openstack.org/api-ref/block-storage/v3/#reset-group-snapshot-status [1] https://review.opendev.org/c/openstack/cinder/+/507812 [2] https://wiki.openstack.org/wiki/CinderWallabyMidCycleSummary#consistent_and_secure_policies Change-Id: I7875d365bb73dd80ecbe30c4801599b6f781cc39 Closes-bug: #1908315 (cherry picked from commit 1631742f43a2d1f60cf5ccee26dced1d542f2bf6) (cherry picked from commit 1941ecc6d4013ecfdf7e2d37fd87ffaa04d8a38d) (cherry picked from commit 6c399a8b0d8e945911cf4408b0d6cb2d3d15bd3a) --- cinder/policies/group_snapshot_actions.py | 2 +- .../notes/bug-1908315-020fea3e244d49bb.yaml | 38 +++++++++++++++++++ 2 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/bug-1908315-020fea3e244d49bb.yaml diff --git a/cinder/policies/group_snapshot_actions.py b/cinder/policies/group_snapshot_actions.py index 6a766d602e6..e74e0b173f5 100644 --- a/cinder/policies/group_snapshot_actions.py +++ b/cinder/policies/group_snapshot_actions.py @@ -24,7 +24,7 @@ RESET_STATUS = 'group:reset_group_snapshot_status' group_snapshot_actions_policies = [ policy.DocumentedRuleDefault( name=RESET_STATUS, - check_str=base.RULE_ADMIN_OR_OWNER, + check_str=base.RULE_ADMIN_API, description="Reset status of group snapshot.", operations=[ { diff --git a/releasenotes/notes/bug-1908315-020fea3e244d49bb.yaml b/releasenotes/notes/bug-1908315-020fea3e244d49bb.yaml new file mode 100644 index 00000000000..f5a22764163 --- /dev/null +++ b/releasenotes/notes/bug-1908315-020fea3e244d49bb.yaml @@ -0,0 +1,38 @@ +--- +upgrade: + - | + This release contains a fix for `Bug #1908315 + `_, which changes the + default value of the policy governing the Block Storage API action + `Reset group snapshot status + `_ + to make the action administrator-only. This policy was inadvertently + changed to be admin-or-owner during the Queens development cycle. + + The policy is named ``group:reset_group_snapshot_status``. + + * If you have a custom value for this policy in your cinder policy + configuration file, this change to the default value will not affect + you. + * If you have been aware of this regression and like the current + (incorrect) behavior, you may add the following line to your cinder + policy configuration file to restore that behavior:: + + "group:reset_group_snapshot_status": "rule:admin_or_owner" + + This setting is *not recommended* by the Cinder project team, as it + may allow end users to put a group snapshot into an invalid status with + indeterminate consequences. + + For more information about the cinder policy configuration file, see the + `policy.yaml + `_ + section of the Cinder Configuration Guide. +fixes: + - | + `Bug #1908315 `_: Corrected + the default checkstring for the ``group:reset_group_snapshot_status`` + policy to make it admin-only. This policy governs the Block Storage API + action `Reset group snapshot status + `_, + which by default is supposed to be an adminstrator-only action.