[openstack-dev] [nova] Policy rules are killed by the context admin check

Morgan Fainberg morgan.fainberg at gmail.com
Wed Apr 22 23:02:49 UTC 2015


On Wednesday, April 22, 2015, Matt Riedemann <mriedem at linux.vnet.ibm.com>
wrote:

>
>
> On 4/22/2015 8:32 AM, Sylvain Bauza wrote:
>
>> Hi,
>>
>> By discussing on a specific bug [1], I just discovered that the admin
>> context check which was done at the DB level has been moved to the API
>> level thanks to the api-policy-v3 blueprint [2]
>>
>> That behaviour still leads to a bug if the operator wants to change an
>> endpoint policy by leaving it end-user but still continues to be denied
>> because of that, as it will forbid any non-admin user to call the
>> methods (even if authorize() grants the request)
>>
>> I consequently opened a bug [3] for this but I'm also concerned about
>> the backportability of that and why it shouldn't fixed in v2.0 too.
>>
>> Releasing the check by removing it sounds an acceptable change, as it
>> fixes a bug without changing the expected behaviour [4]. The impact of
>> the change sounds also minimal with a very precise scope (ie. leave the
>> policy rules work as they are expected) [5]
>>
>> Folks, thoughts ?
>>
>> -Sylvain
>>
>> [1] https://bugs.launchpad.net/nova/+bug/1447084
>> [2]
>>
>> https://review.openstack.org/#/q/project:openstack/nova+branch:master+topic:bp/v3-api-policy,n,z
>>
>> [3] https://bugs.launchpad.net/nova/+bug/1447164
>> [4]
>>
>> https://wiki.openstack.org/wiki/APIChangeGuidelines#Generally_Considered_OK
>> "Fixing a bug so that a request which resulted in an error response
>> before is now successful"
>> [5] https://wiki.openstack.org/wiki/StableBranch#Stable_branch_policy
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
> I don't disagree, see bug 1168488 from way back in grizzly.
>
> The only thing would be we'd have to make sure the default rule is admin
> for any v2 extensions which are enforcing an admin context today.
>
>
This sounds like a sane approach.

--Morgan

> --
>
> Thanks,
>
> Matt Riedemann
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150422/8769514e/attachment.html>


More information about the OpenStack-dev mailing list