Re: [openstack-dev] [nova] Policy rules are killed by the context admin check

Wed, 22 Apr 2015 15:59:48 -0700 


On 4/22/2015 8:32 AM, Sylvain Bauza wrote:

Hi,

By discussing on a specific bug [1], I just discovered that the admin
context check which was done at the DB level has been moved to the API
level thanks to the api-policy-v3 blueprint [2]

That behaviour still leads to a bug if the operator wants to change an
endpoint policy by leaving it end-user but still continues to be denied
because of that, as it will forbid any non-admin user to call the
methods (even if authorize() grants the request)

I consequently opened a bug [3] for this but I'm also concerned about
the backportability of that and why it shouldn't fixed in v2.0 too.

Releasing the check by removing it sounds an acceptable change, as it
fixes a bug without changing the expected behaviour [4]. The impact of
the change sounds also minimal with a very precise scope (ie. leave the
policy rules work as they are expected) [5]

Folks, thoughts ?

-Sylvain

[1] https://bugs.launchpad.net/nova/+bug/1447084
[2]
https://review.openstack.org/#/q/project:openstack/nova+branch:master+topic:bp/v3-api-policy,n,z

[3] https://bugs.launchpad.net/nova/+bug/1447164
[4]
https://wiki.openstack.org/wiki/APIChangeGuidelines#Generally_Considered_OK
"Fixing a bug so that a request which resulted in an error response
before is now successful"
[5] https://wiki.openstack.org/wiki/StableBranch#Stable_branch_policy

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



I don't disagree, see bug 1168488 from way back in grizzly.


The only thing would be we'd have to make sure the default rule is admin 
for any v2 extensions which are enforcing an admin context today.


--

Thanks,

Matt Riedemann


__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev






















					Reply via email to