
<br><br>On Wednesday, April 22, 2015, Matt Riedemann <<a href="mailto:mriedem@linux.vnet.ibm.com">mriedem@linux.vnet.ibm.com</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>

<br>

On 4/22/2015 8:32 AM, Sylvain Bauza wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

Hi,<br>

<br>

By discussing on a specific bug [1], I just discovered that the admin<br>

context check which was done at the DB level has been moved to the API<br>

level thanks to the api-policy-v3 blueprint [2]<br>

<br>

That behaviour still leads to a bug if the operator wants to change an<br>

endpoint policy by leaving it end-user but still continues to be denied<br>

because of that, as it will forbid any non-admin user to call the<br>

methods (even if authorize() grants the request)<br>

<br>

I consequently opened a bug [3] for this but I'm also concerned about<br>

the backportability of that and why it shouldn't fixed in v2.0 too.<br>

<br>

Releasing the check by removing it sounds an acceptable change, as it<br>

fixes a bug without changing the expected behaviour [4]. The impact of<br>

the change sounds also minimal with a very precise scope (ie. leave the<br>

policy rules work as they are expected) [5]<br>

<br>

Folks, thoughts ?<br>

<br>

-Sylvain<br>

<br>

[1] <a href="https://bugs.launchpad.net/nova/+bug/1447084" target="_blank">https://bugs.launchpad.net/nova/+bug/1447084</a><br>

[2]<br>

<a href="https://review.openstack.org/#/q/project:openstack/nova+branch:master+topic:bp/v3-api-policy,n,z" target="_blank">https://review.openstack.org/#/q/project:openstack/nova+branch:master+topic:bp/v3-api-policy,n,z</a><br>

<br>

[3] <a href="https://bugs.launchpad.net/nova/+bug/1447164" target="_blank">https://bugs.launchpad.net/nova/+bug/1447164</a><br>

[4]<br>

<a href="https://wiki.openstack.org/wiki/APIChangeGuidelines#Generally_Considered_OK" target="_blank">https://wiki.openstack.org/wiki/APIChangeGuidelines#Generally_Considered_OK</a><br>

"Fixing a bug so that a request which resulted in an error response<br>

before is now successful"<br>

[5] <a href="https://wiki.openstack.org/wiki/StableBranch#Stable_branch_policy" target="_blank">https://wiki.openstack.org/wiki/StableBranch#Stable_branch_policy</a><br>

<br>

__________________________________________________________________________<br>

OpenStack Development Mailing List (not for usage questions)<br>

Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>

<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

<br>

</blockquote>

<br>

I don't disagree, see bug 1168488 from way back in grizzly.<br>

<br>

The only thing would be we'd have to make sure the default rule is admin for any v2 extensions which are enforcing an admin context today.<br>

<br></blockquote><div><br></div><div>This sounds like a sane approach. </div><div><br></div><div>--Morgan<span></span> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

-- <br>

<br>

Thanks,<br>

<br>

Matt Riedemann<br>

<br>

<br>

__________________________________________________________________________<br>

OpenStack Development Mailing List (not for usage questions)<br>

Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>

<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

</blockquote>