Public bug reported:
The following should not exist in keystone/common/policies/base.py:
policy.RuleDefault(
name='default',
check_str='rule:admin_required')
because a default rule should no longer apply with policy in code. If
we've correctly defined all policy rules in code, then we'll never have
a case where code is checking a rule that can't be found, which is when
the default rule is checked.
In previous releases, some operators who override policy used the
default rule to restrict all rules that they (intentionally) omitted
from their policy.json. This shortened those files, and protected them
if keystone added new policy checks until/unless they decided to open
things up more widely. Leaving the default rule defined now that policy
is in code will confuse this kind of operator (and possibly others) who
haven't thought it through and realized that the default rule can't be
used like that anymore because it won't be checked just because you
didn't define another rule in policy.json.
** Affects: keystone
Importance: Undecided
Assignee: Matthew Edmonds (edmondsw)
Status: In Progress
** Changed in: keystone
Assignee: (unassigned) => Matthew Edmonds (edmondsw)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1703392
Title:
default rule no longer applies with policy in code
Status in OpenStack Identity (keystone):
In Progress
Bug description:
The following should not exist in keystone/common/policies/base.py:
policy.RuleDefault(
name='default',
check_str='rule:admin_required')
because a default rule should no longer apply with policy in code. If
we've correctly defined all policy rules in code, then we'll never
have a case where code is checking a rule that can't be found, which
is when the default rule is checked.
In previous releases, some operators who override policy used the
default rule to restrict all rules that they (intentionally) omitted
from their policy.json. This shortened those files, and protected them
if keystone added new policy checks until/unless they decided to open
things up more widely. Leaving the default rule defined now that
policy is in code will confuse this kind of operator (and possibly
others) who haven't thought it through and realized that the default
rule can't be used like that anymore because it won't be checked just
because you didn't define another rule in policy.json.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1703392/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
