** Description changed: [Impact] Based on the investigation here https://bugs.launchpad.net/charm-keystone/+bug/1880847 it was determined that rules from policy files located in the directory specified in the policy_dirs option (/etc/<config_dir>/policy.d by default) are not re-applied after the rules from the primary policy file is re-applied due to a change. This leads to scenarios where incorrect rule combinations are active. Example from the test case in 1880847: * policy.json gets read with the following rule; "identity:list_credentials": "rule:admin_required or user_id:%(user_id)s", * rule.yaml from policy.d is read with the following rule; {'identity:list_credentials': '!'} * policy.json's mtime gets updated (with or without a content change) and overrides the rule to be "identity:list_credentials": "rule:admin_required or user_id:%(user_id)s", * rule.yaml doesn't get reapplied since it hasn't changed. [Test Case] + == ubuntu == + + The patches include unit tests that ensure the code is behaving as + expected and has not regressed. These tests are run during every package + build. + + == upstream == For a particular version of oslo.policy: * put the attached test (https://bugs.launchpad.net/ubuntu/+source /python- oslo.policy/+bug/1880959/+attachment/5377753/+files/test_1880959.py) under oslo_policy/tests/test_1880959.py; * run tox -e cover -- oslo_policy.tests.test_1880959.EnforcerTest; * observe the failure; # ... testtools.matchers._impl.MismatchError: 'role:fakeA' != 'rule:admin' Ran 1 tests in 0.005s (+0.001s) FAILED (id=1, failures=1) * apply the patch; * run tox -e cover -- oslo_policy.tests.test_1880959.EnforcerTest * observe that the failure is no longer there. - [Regression Potential] The regression potential is low given that there is test coverage in the olso.policy unit tests.
** Changed in: cloud-archive/ussuri Status: Fix Committed => Triaged ** Changed in: cloud-archive/train Status: In Progress => Triaged ** Changed in: cloud-archive/stein Status: In Progress => Triaged ** Changed in: cloud-archive/rocky Status: In Progress => Triaged ** Changed in: cloud-archive/queens Status: In Progress => Triaged ** Changed in: cloud-archive Status: In Progress => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1880959 Title: Rules from the policy directory files are not reapplied after changes to the primary policy file To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1880959/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs