yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1174877] Re: NVP plugin: Field based policy checks are broken

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Wed, 29 May 2013 11:03:49 -0000
Reply-to: Bug 1174877 <1174877@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: quantum
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to quantum.
https://bugs.launchpad.net/bugs/1174877

Title:
  NVP plugin: Field based policy checks are broken

Status in OpenStack Quantum (virtual network service):
  Fix Released

Bug description:
  the following commit:

  c1e13d2 Merge "Make the 'admin' role configurable"

  caused an interesting issue with the nvp plugin as it is not able to
  validate anymore rules of type 'field' (quantum.policy.FieldCheck) if
  applied on extended attributes.

  The reason is as follows:
  1) The NVP plugin perform some operations with an admin context at startup
  2) Creating an admin context now requires to execute policy.check_is_admin
  3) check_is_admin initializes the policy engine
  4) the policy engine's init() function reads policy.json and initializes rules
  5) when FieldCheck rules are initialized for extended attributes, since the attribute is not yet in the attribute map, the converter is not loaded (and the exception silenced)
  6) Since the converter is missing the check fails because the value in policy.json should be converted from string to bool and it isn't

  This is currently breaking most of l3 for the NVP plugin. A short-term
  fix is necessary.

To manage notifications about this bug go to:
https://bugs.launchpad.net/quantum/+bug/1174877/+subscriptions