From b86da5d4073d9c50aed90c4d6ae6884138be6b06 Mon Sep 17 00:00:00 2001 From: Rajat Dhasmana Date: Tue, 11 Jan 2022 04:56:51 -0500 Subject: [PATCH] Volume transfers: Remove duplicate policy check There is an initial policy check in the transfers accept API[1] which validates correctly if the user is authorized to perform the operation or not. However, we've a duplicate check in the volume API layer which passes a target object (volume) while authorizing which is wrong for this API. While authorizing, we enforce check on the project id of the target object i.e. volume in this case which, before the transfer operation is completed, contains the project id of source project hence making the validation wrong. In the case of transfers API, any project is able to accept the transfer given they've the auth key required to secure the transfer accept So this patch removes the duplicate policy check. [1] https://opendev.org/openstack/cinder/src/branch/master/cinder/transfer/api.py#L225 Closes-Bug: #1950474 Change-Id: I3930bff90df835d9d8bbf7e6e91458db7e5654be (cherry picked from commit 7ba9935a6e1e8a572391563927acb086fdbe5e5c) (cherry picked from commit 46415541a790869d9f5a5a5cc821852730b98149) --- cinder/volume/api.py | 3 --- .../fix-transfer-accept-policy-7594806372b14284.yaml | 8 ++++++++ 2 files changed, 8 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/fix-transfer-accept-policy-7594806372b14284.yaml diff --git a/cinder/volume/api.py b/cinder/volume/api.py index 724a567d7e8..8c50830f24c 100644 --- a/cinder/volume/api.py +++ b/cinder/volume/api.py @@ -51,7 +51,6 @@ from cinder.policies import snapshot_metadata as s_meta_policy from cinder.policies import snapshots as snapshot_policy from cinder.policies import volume_actions as vol_action_policy from cinder.policies import volume_metadata as vol_meta_policy -from cinder.policies import volume_transfer as vol_transfer_policy from cinder.policies import volumes as vol_policy from cinder import quota from cinder import quota_utils @@ -828,8 +827,6 @@ class API(base.Base): def accept_transfer(self, context, volume, new_user, new_project, no_snapshots=False): - context.authorize(vol_transfer_policy.ACCEPT_POLICY, - target_obj=volume) if volume['status'] == 'maintenance': LOG.info('Unable to accept transfer for volume, ' 'because it is in maintenance.', resource=volume) diff --git a/releasenotes/notes/fix-transfer-accept-policy-7594806372b14284.yaml b/releasenotes/notes/fix-transfer-accept-policy-7594806372b14284.yaml new file mode 100644 index 00000000000..24de5752a8f --- /dev/null +++ b/releasenotes/notes/fix-transfer-accept-policy-7594806372b14284.yaml @@ -0,0 +1,8 @@ +--- +fixes: + - | + `Bug #1950474 `_: Fixed + policy authorization for transfer accept API. Previously, if an operator + had overridden the default transfer accept policy to something project + specific in policy.yaml file, it would break the transfer accept API + which is fixed in this release.