Reviewed: https://review.openstack.org/510569 Committed: https://git.openstack.org/cgit/openstack/oslo.policy/commit/?id=8710f6338d0596ebc7c0d8a69675d9333631504b Submitter: Zuul Branch: master
commit 8710f6338d0596ebc7c0d8a69675d9333631504b Author: Doug Hellmann <d...@doughellmann.com> Date: Mon Oct 9 09:31:08 2017 -0400 expand type documentation for Enforcer arguments As part of bug #1720354 we discovered that arguments being passed to the enforcer were not always dictionaries and did not always support the full API needed. Expand the documentation to make the requirements clearer. Change-Id: I6c940d825cf72777e2a7946ab7489a1ed5359235 Closes-Bug: #1720354 Signed-off-by: Doug Hellmann <d...@doughellmann.com> ** Changed in: oslo.policy Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1720354 Title: Glance doesn't send correctly authorization request to Oslo policy Status in Glance: Fix Released Status in oslo.policy: Fix Released Bug description: We have an OpenStack/Mitaka installed with Keystone, Nova and Glance. In /etc/glance/policy.json, we have modified the following lines to test the http_check function of Oslo policy: ... "add_image": "http://moon:8081/authz/wrapper", "delete_image": "http://moon:8081/authz/wrapper", "get_image": "http://moon:8081/authz/wrapper", "get_images": "http://moon:8081/authz/wrapper", "modify_image": "http://moon:8081/authz/wrapper", ... Then, when we run: $ openstack image list +--------------------------------------+--------+--------+ | ID | Name | Status | +--------------------------------------+--------+--------+ | 6e31cdd2-4968-4a80-aebc-fcdd6f213091 | cirros | active | +--------------------------------------+--------+--------+ with no problem, but if we run: $ openstack image create --disk-format qcow2 --file /vagrant/cirros-0.3.5-x86_64-disk.img --container-format bare cirros4 400 Bad Request cannot deepcopy this pattern object (HTTP 400) The Oslo_Policy code doesn't raise an error but stop when trying to deepcopying the target variable in oslo.policy/oslo.policy/oslo_policy/_checks.py (line ~241) and we have the following event in Glance API logs: 2017-09-25 12:48:16.044 16600 DEBUG oslo_policy._cache_handler [req-e98eef44-d01b-401f-8e69-c78adf5310d3 - - - - -] Reloading cached file /etc/glance/policy.json read_cached_file /usr/local/lib/python2.7/dist-packages/oslo_policy/_cache_handler.py:40 2017-09-25 12:48:16.047 16600 DEBUG oslo_policy.policy [req-e98eef44-d01b-401f-8e69-c78adf5310d3 - - - - -] Reloaded policy file: /etc/glance/policy.json _load_policy_file /usr/local/lib/python2.7/dist-packages/oslo_policy/policy.py:682 2017-09-25 12:48:16.075 16600 DEBUG glance.api.v2.images [req-e98eef44-d01b-401f-8e69-c78adf5310d3 - - - - -] cannot deepcopy this pattern object create /usr/lib/python2.7/dist-packages/glance/api/v2/images.py:85 2017-09-25 12:48:16.084 16600 INFO eventlet.wsgi.server [req-e98eef44-d01b-401f-8e69-c78adf5310d3 - - - - -] 127.0.0.1 - - [25/Sep/2017 12:48:16] "POST /v2/images HTTP/1.1" 400 273 0.053245 An other problem is that we have not enough information in the target variable (in oslo.policy/oslo.policy/oslo_policy/_checks.py). Because most of the information have the 'object' type, they are deleted from the temp_target variable (line ~244). We believe that this is due to the Glance part since it doesn't well prepare the authorization request (body) to Oslo policy. To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1720354/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp