openstack
/
nova
Code Issues Proposed changes
nova/nova/policies
History
Matt Riedemann 7bcd581c78 Add policy rule to block image-backed servers with 0 root disk flavor 
This adds a new policy rule which defaults to behave in a
backward compatible way, but will allow operators to enforce
that servers created with a zero disk flavor must also be
volume-backed servers.

Allowing users to upload their own images and create image-backed
servers on local disk with zero root disk size flavors can be
potentially hazardous if the size of the image is unexpectedly
large, since it can consume the local disk (or shared storage pool).

It should be noted that disabling the new policy rule will
result in a non-backward compatible API behavior change and no
microversion is being introduced for this because enforcement via
a new microversion would not close the security gap on any previous
microversions.

Related compute API reference and user documentation is updated
to mention the policy rule along with a release note since
this is tied to a security bug, which will be backported to stable
branches.

Conflicts:
      nova/policies/servers.py
      nova/tests/unit/test_policy.py

NOTE(mriedem): The conflict is due to not having change
Iedd3fea0e86648fae364f075915555dcb2c4f199 in Queens for trusted
certs.

Change-Id: Id67e1285a0522474844de130c9263e11868f67fb
Closes-Bug: #1739646
(cherry picked from commit 763fd62464)
 		2018-06-18 13:51:41 -04:00
..
__init__.py Put base policy rules at first 2017-09-05 16:53:44 +08:00
admin_actions.py Remove 'create_rule_default' 2017-07-13 13:06:01 -04:00
admin_password.py Remove 'create_rule_default' 2017-07-13 13:06:01 -04:00
agents.py Fix indentation in policy doc 2017-07-18 10:06:23 +03:00
aggregates.py Consistent policies 2017-07-17 16:45:41 -04:00
assisted_volume_snapshots.py Remove 'create_rule_default' 2017-07-13 13:06:01 -04:00
attach_interfaces.py Consistent policies 2017-07-17 16:45:41 -04:00
availability_zone.py trivial: Fix few policy doc 2018-02-01 03:04:00 +00:00
baremetal_nodes.py Remove 'create_rule_default' 2017-07-13 13:06:01 -04:00
base.py Update policy descriptions for base. 2017-07-17 17:14:35 -04:00
cells.py Consistent policies 2017-07-17 16:45:41 -04:00
cells_scheduler.py Use oslo.polcy DocumentedRuleDefault 2017-07-13 13:02:57 -04:00
config_drive.py Deprecate API extensions policies 2017-12-07 04:05:58 +00:00
console_auth_tokens.py Consistent policies 2017-07-17 16:45:41 -04:00
console_output.py Remove 'create_rule_default' 2017-07-13 13:06:01 -04:00
consoles.py Remove 'create_rule_default' 2017-07-13 13:06:01 -04:00
create_backup.py Remove 'create_rule_default' 2017-07-13 13:06:01 -04:00
deferred_delete.py Consistent policies 2017-07-17 16:45:41 -04:00
evacuate.py Remove 'create_rule_default' 2017-07-13 13:06:01 -04:00
extended_availability_zone.py Deprecate API extensions policies 2017-12-07 04:05:58 +00:00
extended_server_attributes.py policies: Fix Sphinx issues 2017-08-03 16:06:14 -04:00
extended_status.py Deprecate API extensions policies 2017-12-07 04:05:58 +00:00
extended_volumes.py Deprecate API extensions policies 2017-12-07 04:05:58 +00:00
extensions.py Consistent policies 2017-07-17 16:45:41 -04:00
fixed_ips.py Consistent policies 2017-07-17 16:45:41 -04:00
flavor_access.py Deprecate API extensions policies 2017-12-07 04:05:58 +00:00
flavor_extra_specs.py Update os_compute_api:os-flavor-extra-specs:index docs for 2.47 2018-04-20 19:34:29 +00:00
flavor_manage.py Add microversion to allow setting flavor description 2017-11-15 22:10:39 +00:00
flavor_rxtx.py Deprecate API extensions policies 2017-12-07 04:05:58 +00:00
flavors.py Deprecate unused policy from policy doc 2017-05-23 00:13:34 +08:00
floating_ip_dns.py Remove 'create_rule_default' 2017-07-13 13:06:01 -04:00
floating_ip_pools.py Remove 'create_rule_default' 2017-07-13 13:06:01 -04:00
floating_ips.py Remove 'create_rule_default' 2017-07-13 13:06:01 -04:00
floating_ips_bulk.py Remove 'create_rule_default' 2017-07-13 13:06:01 -04:00
fping.py Remove 'create_rule_default' 2017-07-13 13:06:01 -04:00
hide_server_addresses.py Deprecate configurable Hide Server Address Feature 2017-12-07 08:45:18 +00:00
hosts.py Consistent policies 2017-07-17 16:45:41 -04:00
hypervisors.py Fix indentation in policy doc 2017-07-18 10:06:23 +03:00
image_size.py Deprecate API extensions policies 2017-12-07 04:05:58 +00:00
instance_actions.py Update policy description for 'instance_actions' 2017-07-21 14:09:24 +00:00
instance_usage_audit_log.py Consistent policies 2017-07-17 16:45:41 -04:00
ips.py Consistent policies 2017-07-17 16:45:41 -04:00
keypairs.py Deprecate API extensions policies 2017-12-07 04:05:58 +00:00
limits.py Consistent policies 2017-07-17 16:45:41 -04:00
lock_server.py Consistent policies 2017-07-17 16:45:41 -04:00
migrate_server.py Remove 'create_rule_default' 2017-07-13 13:06:01 -04:00
migrations.py Remove 'create_rule_default' 2017-07-13 13:06:01 -04:00
multinic.py Consistent policies 2017-07-17 16:45:41 -04:00
networks.py Remove 'create_rule_default' 2017-07-13 13:06:01 -04:00
networks_associate.py Consistent policies 2017-07-17 16:45:41 -04:00
pause_server.py Consistent policies 2017-07-17 16:45:41 -04:00
quota_class_sets.py Remove 'create_rule_default' 2017-07-13 13:06:01 -04:00
quota_sets.py Merge "Change default policy to view quota details" 2017-07-21 20:02:20 +00:00
remote_consoles.py Consistent policies 2017-07-17 16:45:41 -04:00
rescue.py Remove 'create_rule_default' 2017-07-13 13:06:01 -04:00
security_group_default_rules.py Consistent policies 2017-07-17 16:45:41 -04:00
security_groups.py Deprecate API extensions policies 2017-12-07 04:05:58 +00:00
server_diagnostics.py Consistent policies 2017-07-17 16:45:41 -04:00
server_external_events.py Consistent policies 2017-07-17 16:45:41 -04:00
server_groups.py Remove 'create_rule_default' 2017-07-13 13:06:01 -04:00
server_metadata.py trivial: Fix few policy doc 2018-02-01 03:04:00 +00:00
server_password.py Remove 'create_rule_default' 2017-07-13 13:06:01 -04:00
server_tags.py Remove 'create_rule_default' 2017-07-13 13:06:01 -04:00
server_usage.py Deprecate API extensions policies 2017-12-07 04:05:58 +00:00
servers.py Add policy rule to block image-backed servers with 0 root disk flavor 2018-06-18 13:51:41 -04:00
servers_migrations.py Remove 'create_rule_default' 2017-07-13 13:06:01 -04:00
services.py Use uuid for id in os-services API 2017-07-18 15:39:57 -04:00
shelve.py Consistent policies 2017-07-17 16:45:41 -04:00
simple_tenant_usage.py Consistent policies 2017-07-17 16:45:41 -04:00
suspend_server.py Remove 'create_rule_default' 2017-07-13 13:06:01 -04:00
tenant_networks.py Consistent policies 2017-07-17 16:45:41 -04:00
used_limits.py Consistent policies 2017-07-17 16:45:41 -04:00
virtual_interfaces.py Consistent policies 2017-07-17 16:45:41 -04:00
volumes.py Fix indentation in policy doc 2017-07-18 10:06:23 +03:00
volumes_attachments.py Remove 'create_rule_default' 2017-07-13 13:06:01 -04:00