Page MenuHomePhabricator

Investigate any discrepancies between Horizon permissions and real permissions
Closed, ResolvedPublic

Description

See T247206 and T247573. It seems one can theoretically confirm an instance resizing in Nova, yet Horizon has a different policy that disallows it:

modules/openstack/files/queens/horizon/nova_policy.json:    "compute:confirm_resize": "!",
modules/openstack/files/queens/nova/common/policy.json:    "compute:confirm_resize": "rule:admin_or_projectadmin",

Any such distinction would presumably be a problem for opening up the API directly for use.

Event Timeline

Change 582594 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[operations/puppet@production] Horizon: split $version into $horizon_version and $openstack_version

https://gerrit.wikimedia.org/r/582594

Change 582846 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[operations/puppet@production] Horizon: unify horizon glance policy with actual glance policy.yaml

https://gerrit.wikimedia.org/r/582846

Change 582847 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[operations/puppet@production] Horizon: integrate Horizon policy with actual designate policy.yaml

https://gerrit.wikimedia.org/r/582847

Change 582848 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[operations/puppet@production] Horizon: integrate neutron policy with the actual Neutron policy.yaml

https://gerrit.wikimedia.org/r/582848

Change 582594 merged by Andrew Bogott:
[operations/puppet@production] Horizon: split $version into $horizon_version and $openstack_version

https://gerrit.wikimedia.org/r/582594

Change 582875 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[operations/puppet@production] Horizon: fix path to nova policy.yaml

https://gerrit.wikimedia.org/r/582875

Change 582875 merged by Andrew Bogott:
[operations/puppet@production] Horizon: fix path to nova policy.yaml

https://gerrit.wikimedia.org/r/582875

Change 582899 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[operations/puppet@production] Keystone policy: merge keystone policy with horizon identity policy.yaml

https://gerrit.wikimedia.org/r/582899

Change 582846 merged by Andrew Bogott:
[operations/puppet@production] Horizon: unify horizon glance policy with actual glance policy.yaml

https://gerrit.wikimedia.org/r/582846

Change 582847 merged by Andrew Bogott:
[operations/puppet@production] Horizon: integrate Horizon policy with actual designate policy.yaml

https://gerrit.wikimedia.org/r/582847

Change 582848 merged by Andrew Bogott:
[operations/puppet@production] Horizon: integrate neutron policy with the actual Neutron policy.yaml

https://gerrit.wikimedia.org/r/582848

Change 582899 merged by Andrew Bogott:
[operations/puppet@production] Keystone policy: merge keystone policy with horizon identity policy.yaml

https://gerrit.wikimedia.org/r/582899

Change 583153 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[operations/puppet@production] Keystone policy: duplicate Queens policy.yaml

https://gerrit.wikimedia.org/r/583153

Change 583153 merged by Andrew Bogott:
[operations/puppet@production] Keystone policy: duplicate Queens policy.yaml

https://gerrit.wikimedia.org/r/583153

Change 583157 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[operations/puppet@production] nova policy: add sudorule policy rules for Horizon

https://gerrit.wikimedia.org/r/583157

Change 583157 merged by Andrew Bogott:
[operations/puppet@production] nova policy: add sudorule policy rules for Horizon

https://gerrit.wikimedia.org/r/583157

Andrew claimed this task.