Public bug reported: The following should not exist in keystone/common/policies/base.py:
policy.RuleDefault( name='default', check_str='rule:admin_required') because a default rule should no longer apply with policy in code. If we've correctly defined all policy rules in code, then we'll never have a case where code is checking a rule that can't be found, which is when the default rule is checked. In previous releases, some operators who override policy used the default rule to restrict all rules that they (intentionally) omitted from their policy.json. This shortened those files, and protected them if keystone added new policy checks until/unless they decided to open things up more widely. Leaving the default rule defined now that policy is in code will confuse this kind of operator (and possibly others) who haven't thought it through and realized that the default rule can't be used like that anymore because it won't be checked just because you didn't define another rule in policy.json. ** Affects: keystone Importance: Undecided Assignee: Matthew Edmonds (edmondsw) Status: In Progress ** Changed in: keystone Assignee: (unassigned) => Matthew Edmonds (edmondsw) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1703392 Title: default rule no longer applies with policy in code Status in OpenStack Identity (keystone): In Progress Bug description: The following should not exist in keystone/common/policies/base.py: policy.RuleDefault( name='default', check_str='rule:admin_required') because a default rule should no longer apply with policy in code. If we've correctly defined all policy rules in code, then we'll never have a case where code is checking a rule that can't be found, which is when the default rule is checked. In previous releases, some operators who override policy used the default rule to restrict all rules that they (intentionally) omitted from their policy.json. This shortened those files, and protected them if keystone added new policy checks until/unless they decided to open things up more widely. Leaving the default rule defined now that policy is in code will confuse this kind of operator (and possibly others) who haven't thought it through and realized that the default rule can't be used like that anymore because it won't be checked just because you didn't define another rule in policy.json. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1703392/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp