[Yahoo-eng-team] [Bug 1389961] Re: Change of policy.json needs restart service

Thu, 06 Nov 2014 00:11:33 -0800 

Sth. is not right on my env. It seems OK on the devstack.

** Changed in: keystone
       Status: New => Invalid

** Information type changed from Public to Private

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1389961

Title:
  Change of policy.json needs restart service

Status in OpenStack Identity (Keystone):
  Invalid

Bug description:
  According to the document: http://docs.openstack.org/openstack-
  ops/content/projects_users.html

  The change on policy file doesn't need service restart. But I find it
  is not true.

  I tried the following on Juno.

  Steps:
  1. Create a user called guest in "Public" tenant and grant "user" role
  2. Login as "guest" and delete a flavor, it succeeds.
  3. Change /etc/nova/policy.json
   "compute_extension:flavormanage": "rule:owner", to "rule:admin"
  4. Try to delete another flavor, access denied.
  5. Restart nova-api, delete succeeds.

  [root@ip]# nova flavor-delete 3
  ERROR (Forbidden): Policy doesn't allow compute_extension:flavormanage to be 
performed. (HTTP 403) (Request-ID: req-9f8699fe-dba0-4044-ac35-59d09079cbe6)

  [root@ip]#service nova-api restart

  [root@ip]# nova flavor-delete 3
  
+----+-----------+-----------+------+-----------+------+-------+-------------+-----------+
  | ID | Name      | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor 
| Is_Public |
  
+----+-----------+-----------+------+-----------+------+-------+-------------+-----------+
  | 3  | m1.medium | 4096      | 40   | 0         |      | 2     | 1.0         
| True      |
  
+----+-----------+-----------+------+-----------+------+-------+-------------+-----------+
  [root@ip]# nova flavor-list
  
+----+----------+-----------+------+-----------+------+-------+-------------+-----------+
  | ID | Name     | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor | 
Is_Public |
  
+----+----------+-----------+------+-----------+------+-------+-------------+-----------+
  | 1  | m1.tiny  | 512       | 1    | 0         |      | 1     | 1.0         | 
True      |
  | 2  | m1.small | 2048      | 20   | 0         |      | 1     | 1.0         | 
True      |
  
+----+----------+-----------+------+-----------+------+-------+-------------+-----------+

  
  I also tried similar cases on glance policy. The result is the same. If a 
user remove some privilege from policy.json and doesn't restart service, this 
bug could cause serious security problems.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1389961/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to