<br><br>On Wednesday, April 22, 2015, Matt Riedemann <<a href="mailto:mriedem@linux.vnet.ibm.com">mriedem@linux.vnet.ibm.com</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
<br>
On 4/22/2015 8:32 AM, Sylvain Bauza wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi,<br>
<br>
By discussing on a specific bug [1], I just discovered that the admin<br>
context check which was done at the DB level has been moved to the API<br>
level thanks to the api-policy-v3 blueprint [2]<br>
<br>
That behaviour still leads to a bug if the operator wants to change an<br>
endpoint policy by leaving it end-user but still continues to be denied<br>
because of that, as it will forbid any non-admin user to call the<br>
methods (even if authorize() grants the request)<br>
<br>
I consequently opened a bug [3] for this but I'm also concerned about<br>
the backportability of that and why it shouldn't fixed in v2.0 too.<br>
<br>
Releasing the check by removing it sounds an acceptable change, as it<br>
fixes a bug without changing the expected behaviour [4]. The impact of<br>
the change sounds also minimal with a very precise scope (ie. leave the<br>
policy rules work as they are expected) [5]<br>
<br>
Folks, thoughts ?<br>
<br>
-Sylvain<br>
<br>
[1] <a href="https://bugs.launchpad.net/nova/+bug/1447084" target="_blank">https://bugs.launchpad.net/nova/+bug/1447084</a><br>
[2]<br>
<a href="https://review.openstack.org/#/q/project:openstack/nova+branch:master+topic:bp/v3-api-policy,n,z" target="_blank">https://review.openstack.org/#/q/project:openstack/nova+branch:master+topic:bp/v3-api-policy,n,z</a><br>
<br>
[3] <a href="https://bugs.launchpad.net/nova/+bug/1447164" target="_blank">https://bugs.launchpad.net/nova/+bug/1447164</a><br>
[4]<br>
<a href="https://wiki.openstack.org/wiki/APIChangeGuidelines#Generally_Considered_OK" target="_blank">https://wiki.openstack.org/wiki/APIChangeGuidelines#Generally_Considered_OK</a><br>
"Fixing a bug so that a request which resulted in an error response<br>
before is now successful"<br>
[5] <a href="https://wiki.openstack.org/wiki/StableBranch#Stable_branch_policy" target="_blank">https://wiki.openstack.org/wiki/StableBranch#Stable_branch_policy</a><br>
<br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
<br>
I don't disagree, see bug 1168488 from way back in grizzly.<br>
<br>
The only thing would be we'd have to make sure the default rule is admin for any v2 extensions which are enforcing an admin context today.<br>
<br></blockquote><div><br></div><div>This sounds like a sane approach. </div><div><br></div><div>--Morgan<span></span> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
-- <br>
<br>
Thanks,<br>
<br>
Matt Riedemann<br>
<br>
<br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</blockquote>