Sth. is not right on my env. It seems OK on the devstack. ** Changed in: keystone Status: New => Invalid
** Information type changed from Public to Private -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1389961 Title: Change of policy.json needs restart service Status in OpenStack Identity (Keystone): Invalid Bug description: According to the document: http://docs.openstack.org/openstack- ops/content/projects_users.html The change on policy file doesn't need service restart. But I find it is not true. I tried the following on Juno. Steps: 1. Create a user called guest in "Public" tenant and grant "user" role 2. Login as "guest" and delete a flavor, it succeeds. 3. Change /etc/nova/policy.json "compute_extension:flavormanage": "rule:owner", to "rule:admin" 4. Try to delete another flavor, access denied. 5. Restart nova-api, delete succeeds. [root@ip]# nova flavor-delete 3 ERROR (Forbidden): Policy doesn't allow compute_extension:flavormanage to be performed. (HTTP 403) (Request-ID: req-9f8699fe-dba0-4044-ac35-59d09079cbe6) [root@ip]#service nova-api restart [root@ip]# nova flavor-delete 3 +----+-----------+-----------+------+-----------+------+-------+-------------+-----------+ | ID | Name | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor | Is_Public | +----+-----------+-----------+------+-----------+------+-------+-------------+-----------+ | 3 | m1.medium | 4096 | 40 | 0 | | 2 | 1.0 | True | +----+-----------+-----------+------+-----------+------+-------+-------------+-----------+ [root@ip]# nova flavor-list +----+----------+-----------+------+-----------+------+-------+-------------+-----------+ | ID | Name | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor | Is_Public | +----+----------+-----------+------+-----------+------+-------+-------------+-----------+ | 1 | m1.tiny | 512 | 1 | 0 | | 1 | 1.0 | True | | 2 | m1.small | 2048 | 20 | 0 | | 1 | 1.0 | True | +----+----------+-----------+------+-----------+------+-------+-------------+-----------+ I also tried similar cases on glance policy. The result is the same. If a user remove some privilege from policy.json and doesn't restart service, this bug could cause serious security problems. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1389961/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp