[openstack-dev] [nova] Policy rules are killed by the context admin check

Sylvain Bauza sbauza at redhat.com
Wed Apr 22 13:32:45 UTC 2015


Hi,

By discussing on a specific bug [1], I just discovered that the admin 
context check which was done at the DB level has been moved to the API 
level thanks to the api-policy-v3 blueprint [2]

That behaviour still leads to a bug if the operator wants to change an 
endpoint policy by leaving it end-user but still continues to be denied 
because of that, as it will forbid any non-admin user to call the 
methods (even if authorize() grants the request)

I consequently opened a bug [3] for this but I'm also concerned about 
the backportability of that and why it shouldn't fixed in v2.0 too.

Releasing the check by removing it sounds an acceptable change, as it 
fixes a bug without changing the expected behaviour [4]. The impact of 
the change sounds also minimal with a very precise scope (ie. leave the 
policy rules work as they are expected) [5]

Folks, thoughts ?

-Sylvain

[1] https://bugs.launchpad.net/nova/+bug/1447084
[2] 
https://review.openstack.org/#/q/project:openstack/nova+branch:master+topic:bp/v3-api-policy,n,z
[3] https://bugs.launchpad.net/nova/+bug/1447164
[4] 
https://wiki.openstack.org/wiki/APIChangeGuidelines#Generally_Considered_OK 
"Fixing a bug so that a request which resulted in an error response 
before is now successful"
[5] https://wiki.openstack.org/wiki/StableBranch#Stable_branch_policy



More information about the OpenStack-dev mailing list