Public bug reported: Based on the investigation here https://bugs.launchpad.net/charm- keystone/+bug/1880847 it was determined that rules from policy files located in the directory specified in the policy_dirs option (/etc/<config_dir>/policy.d by default) are not re-applied after the rules from the primary policy file is re-applied due to a change.
This leads to scenarios where incorrect rule combinations are active. Example from the test case in 1880847: * policy.json gets read with the following rule; "identity:list_credentials": "rule:admin_required or user_id:%(user_id)s", * rule.yaml from policy.d is read with the following rule; {'identity:list_credentials': '!'} * policy.json's mtime gets updated (with or without a content change) and overrides the rule to be "identity:list_credentials": "rule:admin_required or user_id:%(user_id)s", * rule.yaml doesn't get reapplied since it hasn't changed. ** Affects: python-oslo.policy (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1880959 Title: Rules from the policy directory files are not reapplied after changes to the primary policy file To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-oslo.policy/+bug/1880959/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs