Correct group:reset_group_snapshot_status policy

The default value for the group:reset_group_snapshot_status policy, which governs the Block Storage API call "Reset group snapshot status"[0], was changed to admin-or-owner during refactoring for the policy-in-code initiative in Queens [1]. Consensus at the Wallaby R-18 mid-cycle was that this change was a mistake that should be corrected [2]. [0] https://docs.openstack.org/api-ref/block-storage/v3/#reset-group-snapshot-status [1] https://review.opendev.org/c/openstack/cinder/+/507812 [2] https://wiki.openstack.org/wiki/CinderWallabyMidCycleSummary#consistent_and_secure_policies Change-Id: I7875d365bb73dd80ecbe30c4801599b6f781cc39 Closes-bug: #1908315 (cherry picked from commit 1631742f43) (cherry picked from commit 1941ecc6d4) (cherry picked from commit 6c399a8b0d)
2020-12-15 17:20:22 -05:00 · 2020-12-15 17:20:22 -05:00 · f6d256cf1f
parent ecd2916042
commit f6d256cf1f
2 changed files with 39 additions and 1 deletions
--- a/cinder/policies/group_snapshot_actions.py
+++ b/cinder/policies/group_snapshot_actions.py
@ -24,7 +24,7 @@ RESET_STATUS = 'group:reset_group_snapshot_status'
 group_snapshot_actions_policies = [
    policy.DocumentedRuleDefault(
        name=RESET_STATUS,
-        check_str=base.RULE_ADMIN_OR_OWNER,
+        check_str=base.RULE_ADMIN_API,
        description="Reset status of group snapshot.",
        operations=[
            {
--- a/releasenotes/notes/bug-1908315-020fea3e244d49bb.yaml
+++ b/releasenotes/notes/bug-1908315-020fea3e244d49bb.yaml
@ -0,0 +1,38 @@
+---
+upgrade:
+  - |
+    This release contains a fix for `Bug #1908315
+    <https://bugs.launchpad.net/cinder/+bug/1908315>`_, which changes the
+    default value of the policy governing the Block Storage API action
+    `Reset group snapshot status
+    <https://docs.openstack.org/api-ref/block-storage/v3/#reset-group-snapshot-status>`_
+    to make the action administrator-only.  This policy was inadvertently
+    changed to be admin-or-owner during the Queens development cycle.
+
+    The policy is named ``group:reset_group_snapshot_status``.
+
+    * If you have a custom value for this policy in your cinder policy
+      configuration file, this change to the default value will not affect
+      you.
+    * If you have been aware of this regression and like the current
+      (incorrect) behavior, you may add the following line to your cinder
+      policy configuration file to restore that behavior::
+
+          "group:reset_group_snapshot_status": "rule:admin_or_owner"
+
+      This setting is *not recommended* by the Cinder project team, as it
+      may allow end users to put a group snapshot into an invalid status with
+      indeterminate consequences.
+
+    For more information about the cinder policy configuration file, see the
+    `policy.yaml
+    <https://docs.openstack.org/cinder/latest/configuration/block-storage/samples/policy.yaml.html>`_
+    section of the Cinder Configuration Guide.
+fixes:
+  - |
+    `Bug #1908315 <https://bugs.launchpad.net/cinder/+bug/1908315>`_: Corrected
+    the default checkstring for the ``group:reset_group_snapshot_status``
+    policy to make it admin-only.  This policy governs the Block Storage API
+    action `Reset group snapshot status
+    <https://docs.openstack.org/api-ref/block-storage/v3/#reset-group-snapshot-status>`_,
+    which by default is supposed to be an adminstrator-only action.