group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #35737
[Bug 1880959] Re: Rules from the policy directory files are not reapplied after changes to the primary policy file
Reviewed: https://review.opendev.org/731218
Committed: https://git.openstack.org/cgit/openstack/oslo.policy/commit/?id=75677a31108243e0adddc89f1fbf669053f9573b
Submitter: Zuul
Branch: master
commit 75677a31108243e0adddc89f1fbf669053f9573b
Author: Dmitrii Shcherbakov <dmitrii.shcherbakov@xxxxxxxxxxxxx>
Date: Wed May 27 17:06:25 2020 +0300
Reload files in policy_dirs on primary file change
It was determined that rules from policy files located in the directory
specified in the policy_dirs option (/etc/<config_dir>/policy.d by
default) are not re-applied after the rules from the primary policy file
is re-applied due to a change.
This change introduces additional behavior to make sure the rules from
policy_dirs are reapplied if there is a change to the primary policy
file.
Change-Id: I8a6f8e971d881365c41ea409966723319d5b239a
Closes-Bug: #1880959
Related-Bug: #1880847
** Changed in: oslo.policy
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1880959
Title:
Rules from the policy directory files are not reapplied after changes
to the primary policy file
Status in Ubuntu Cloud Archive:
Triaged
Status in Ubuntu Cloud Archive mitaka series:
Triaged
Status in Ubuntu Cloud Archive queens series:
Triaged
Status in Ubuntu Cloud Archive rocky series:
Triaged
Status in Ubuntu Cloud Archive stein series:
Triaged
Status in Ubuntu Cloud Archive train series:
Triaged
Status in Ubuntu Cloud Archive ussuri series:
Triaged
Status in oslo.policy:
Fix Released
Status in python-oslo.policy package in Ubuntu:
Triaged
Status in python-oslo.policy source package in Xenial:
Triaged
Status in python-oslo.policy source package in Bionic:
Triaged
Status in python-oslo.policy source package in Eoan:
Triaged
Status in python-oslo.policy source package in Groovy:
Triaged
Bug description:
[Impact]
Based on the investigation here https://bugs.launchpad.net/charm-keystone/+bug/1880847 it was determined that rules from policy files located in the directory specified in the policy_dirs option (/etc/<config_dir>/policy.d by default) are not re-applied after the rules from the primary policy file is re-applied due to a change.
This leads to scenarios where incorrect rule combinations are active.
Example from the test case in 1880847:
* policy.json gets read with the following rule;
"identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
* rule.yaml from policy.d is read with the following rule;
{'identity:list_credentials': '!'}
* policy.json's mtime gets updated (with or without a content change) and overrides the rule to be
"identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
* rule.yaml doesn't get reapplied since it hasn't changed.
[Test Case]
For a particular version of oslo.policy:
* put the attached test (https://bugs.launchpad.net/ubuntu/+source
/python-
oslo.policy/+bug/1880959/+attachment/5377753/+files/test_1880959.py)
under oslo_policy/tests/test_1880959.py;
* run tox -e cover -- oslo_policy.tests.test_1880959.EnforcerTest;
* observe the failure;
# ...
testtools.matchers._impl.MismatchError: 'role:fakeA' != 'rule:admin'
Ran 1 tests in 0.005s (+0.001s)
FAILED (id=1, failures=1)
* apply the patch;
* run tox -e cover -- oslo_policy.tests.test_1880959.EnforcerTest
* observe that the failure is no longer there.
[Regression Potential]
The regression potential is low given that there is test coverage in the olso.policy unit tests.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1880959/+subscriptions
