
<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">2015-04-23 6:55 GMT+08:00 Matt Riedemann <span dir="ltr"><<a href="mailto:mriedem@linux.vnet.ibm.com" target="_blank">mriedem@linux.vnet.ibm.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div class=""><div class="h5"><br>

<br>

On 4/22/2015 8:32 AM, Sylvain Bauza wrote:<br>

<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">

Hi,<br>

<br>

By discussing on a specific bug [1], I just discovered that the admin<br>

context check which was done at the DB level has been moved to the API<br>

level thanks to the api-policy-v3 blueprint [2]<br>

<br>

That behaviour still leads to a bug if the operator wants to change an<br>

endpoint policy by leaving it end-user but still continues to be denied<br>

because of that, as it will forbid any non-admin user to call the<br>

methods (even if authorize() grants the request)<br>

<br>

I consequently opened a bug [3] for this but I'm also concerned about<br>

the backportability of that and why it shouldn't fixed in v2.0 too.<br>

<br>

Releasing the check by removing it sounds an acceptable change, as it<br>

fixes a bug without changing the expected behaviour [4]. The impact of<br>

the change sounds also minimal with a very precise scope (ie. leave the<br>

policy rules work as they are expected) [5]<br>

<br>

Folks, thoughts ?<br>

<br>

-Sylvain<br>

<br>

[1] <a href="https://bugs.launchpad.net/nova/+bug/1447084" target="_blank">https://bugs.launchpad.net/nova/+bug/1447084</a><br>

[2]<br>

<a href="https://review.openstack.org/#/q/project:openstack/nova+branch:master+topic:bp/v3-api-policy,n,z" target="_blank">https://review.openstack.org/#/q/project:openstack/nova+branch:master+topic:bp/v3-api-policy,n,z</a><br>

<br>

[3] <a href="https://bugs.launchpad.net/nova/+bug/1447164" target="_blank">https://bugs.launchpad.net/nova/+bug/1447164</a><br>

[4]<br>

<a href="https://wiki.openstack.org/wiki/APIChangeGuidelines#Generally_Considered_OK" target="_blank">https://wiki.openstack.org/wiki/APIChangeGuidelines#Generally_Considered_OK</a><br>

"Fixing a bug so that a request which resulted in an error response<br>

before is now successful"<br>

[5] <a href="https://wiki.openstack.org/wiki/StableBranch#Stable_branch_policy" target="_blank">https://wiki.openstack.org/wiki/StableBranch#Stable_branch_policy</a><br>

<br>

__________________________________________________________________________<br>

OpenStack Development Mailing List (not for usage questions)<br>

Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>

<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

<br>

</blockquote>

<br></div></div>

I don't disagree, see bug 1168488 from way back in grizzly.<br>

<br>

The only thing would be we'd have to make sure the default rule is admin for any v2 extensions which are enforcing an admin context today.</blockquote><div><br></div><div>Agree, if we want to fix those for v2, we need make sure the default rule is admin.</div><div><br></div><div>And do you mean [3] want to fix this for v2 both in Kilo and Liberty?</div><div><br></div><div>For liberty, we can do that, but I think we will switch to v2.1 very soon. Not sure it is still worth to do that.</div><div><br></div><div>For kilo, some of api is pretty easy to fix by just removing 'require_admin_context()'. But there still have many of policy patches didn't merged into the master yet. like:</div><div><a href="https://review.openstack.org/#/q/status:open+project:openstack/nova+branch:master+topic:bp/nova-api-policy-final-part,n,z">https://review.openstack.org/#/q/status:open+project:openstack/nova+branch:master+topic:bp/nova-api-policy-final-part,n,z</a><br></div><div><a href="https://review.openstack.org/#/q/status:open+project:openstack/nova+branch:master+topic:bp/v3-api-policy,n,z">https://review.openstack.org/#/q/status:open+project:openstack/nova+branch:master+topic:bp/v3-api-policy,n,z</a><br></div><div><a href="https://review.openstack.org/#/q/status:open+project:openstack/nova+branch:master+topic:remove_qutoa_hardcode_permission,n,z">https://review.openstack.org/#/q/status:open+project:openstack/nova+branch:master+topic:remove_qutoa_hardcode_permission,n,z</a><br></div><div><a href="https://review.openstack.org/#/q/status:open+project:openstack/nova+branch:master+topic:remove_quotaclass_hardcode_permission,n,z">https://review.openstack.org/#/q/status:open+project:openstack/nova+branch:master+topic:remove_quotaclass_hardcode_permission,n,z</a><br></div><div><br></div><div>Should we back-port them all?</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span class=""><font color="#888888"><br>

<br>

-- <br>

<br>

Thanks,<br>

<br>

Matt Riedemann</font></span><div class=""><div class="h5"><br>

<br>

<br>

__________________________________________________________________________<br>

OpenStack Development Mailing List (not for usage questions)<br>

Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>

<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

</div></div></blockquote></div><br></div></div>