763fd62464
This adds a new policy rule which defaults to behave in a backward compatible way, but will allow operators to enforce that servers created with a zero disk flavor must also be volume-backed servers. Allowing users to upload their own images and create image-backed servers on local disk with zero root disk size flavors can be potentially hazardous if the size of the image is unexpectedly large, since it can consume the local disk (or shared storage pool). It should be noted that disabling the new policy rule will result in a non-backward compatible API behavior change and no microversion is being introduced for this because enforcement via a new microversion would not close the security gap on any previous microversions. Related compute API reference and user documentation is updated to mention the policy rule along with a release note since this is tied to a security bug, which will be backported to stable branches. Change-Id: Id67e1285a0522474844de130c9263e11868f67fb Closes-Bug: #1739646
21 lines
1.0 KiB
YAML
21 lines
1.0 KiB
YAML
---
|
|
security:
|
|
- |
|
|
A new policy rule, ``os_compute_api:servers:create:zero_disk_flavor``, has
|
|
been introduced which defaults to ``rule:admin_or_owner`` for backward
|
|
compatibility, but can be configured to make the compute
|
|
API enforce that server create requests using a flavor with zero root disk
|
|
must be volume-backed or fail with a ``403 HTTPForbidden`` error.
|
|
|
|
Allowing image-backed servers with a zero root disk flavor can be
|
|
potentially hazardous if users are allowed to upload their own images,
|
|
since an instance created with a zero root disk flavor gets its size
|
|
from the image, which can be unexpectedly large and exhaust local disk
|
|
on the compute host. See https://bugs.launchpad.net/nova/+bug/1739646 for
|
|
more details.
|
|
|
|
While this is introduced in a backward-compatible way, the default will
|
|
be changed to ``rule:admin_api`` in a subsequent release. It is advised
|
|
that you communicate this change to your users before turning on
|
|
enforcement since it will result in a compute API behavior change.
|