yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1246987] Re: check_policy does not work correctly

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Christopher Yeoh <cyeoh@xxxxxxxxxxx>
Date: Tue, 11 Mar 2014 10:32:46 -0000
Reply-to: Bug 1246987 <1246987@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: nova
       Status: Incomplete => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1246987

Title:
  check_policy does not work correctly

Status in OpenStack Compute (Nova):
  Invalid

Bug description:
   function
  check_policy(context, 'method', target)

  If target is instance object, this check_policy  function does not work like expected.
  Because target is not dict.

  e.g.  
  /etc/nova/policy.json:

      "startstop_api": "is_admin:True or (project_id:%(project_id)s and role:comp_startstop and user_id:%(user_id)s)",
      "compute:start":  "rule:startstop_api",
      "compute:stop":   "rule:startstop_api",

  above controls does not work never.

  ./nova/compute/api.py  should revise.
  I fixed like below.

  
  [root@nova-all0001 compute]# diff -rup api.old.py api.py
  --- api.old.py  2013-11-01 15:42:22.086922939 +0900
  +++ api.py      2013-11-01 14:38:12.407905965 +0900
  @@ -194,7 +194,10 @@ def policy_decorator(scope):
       def outer(func):
           @functools.wraps(func)
           def wrapped(self, context, target, *args, **kwargs):
  -            check_policy(context, func.__name__, target, scope)
  +            if not isinstance(target, dict):        # Y.Kawada
  +                r_target = dict(target.iteritems())
  +
  +            check_policy(context, func.__name__, r_target, scope)
               return func(self, context, target, *args, **kwargs)
           return wrapped
       return outer

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1246987/+subscriptions