** Changed in: neutron Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1445690
Title: "legacy" admin rule does not work and is not needed anymore Status in OpenStack Neutron (virtual network service): Fix Released Bug description: in neutron/policy.py: def check_is_admin(context): """Verify context has admin rights according to policy settings.""" init() # the target is user-self credentials = context.to_dict() target = credentials # Backward compatibility: if ADMIN_CTX_POLICY is not # found, default to validating role:admin admin_policy = (ADMIN_CTX_POLICY if ADMIN_CTX_POLICY in _ENFORCER.rules else 'role:admin') return _ENFORCER.enforce(admin_policy, target, credentials) if ADMIN_CTX_POLICY is not specified the enforcer checks role:admin, which since it does not exist among rules loaded from file, defaults to TrueCheck. This is wrong, and to an extent even dangerous because if ADMIN_CTX_POLICY is missing, then every context would be regarded as an admin context. Thankfully this was only for backward compatibility and is not necessary anymore. A similar mistake is done for ADVSVC_CTX_POLICY. This is even more puzzling because there was no backward compatibility requirmeent there, Obviously the unit tests supposed to ensure the correct behaviour of the backward compatibility tweak are validating something completely different. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1445690/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp