From 632998e218939002d199b52d7262bf8e633d2c2e Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Tue, 6 Feb 2024 12:13:59 +0900 Subject: [PATCH] Fix access by admin users to resources in different projects This allows admin users[1] to use a different project id in request path, to fix the unexpected access denials during redirection when enforcing new default rules. This was allowed previously with deprecated policy rules, and with the new SRBAC design we require project scope auth to access project owned resources such as stack. [1] User with admin role in admin project in case admin_project_name is set in Keystone. If it's not set then user with admin role in any project are considered as "admin". Story: 2011036 Task: 49532 Change-Id: I49f46e36828881d9700e0e178bd80eb04efe4510 --- heat/api/openstack/v1/util.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/heat/api/openstack/v1/util.py b/heat/api/openstack/v1/util.py index ee2b92dc73..556f6f274b 100644 --- a/heat/api/openstack/v1/util.py +++ b/heat/api/openstack/v1/util.py @@ -29,9 +29,15 @@ def registered_policy_enforce(handler): """ @functools.wraps(handler) def handle_stack_method(controller, req, tenant_id, **kwargs): + # NOTE(tkajinam): Heat uses stack owner's project id in redirect URI. + # So admin might be redirected to different project id when accessing + # resources in a different project. Use project id in context to + # bypass project_id check, because admin should have access to all + # projects. + if req.context.is_admin and req.context.project_id: + tenant_id = req.context.tenant_id _target = {"project_id": tenant_id} - - if req.context.tenant_id != tenant_id and not req.context.is_admin: + if req.context.tenant_id != tenant_id: raise exc.HTTPForbidden() allowed = req.context.policy.enforce( context=req.context,