yahoo-eng-team team mailing list archive

[Charles V Bock <Charles.V.Bock@xxxxxxxxx>]

Public bug reported:

This check for the admin role seems to fly in the face of the RBAC control that keystone now gives us.
since is_superuser is based solely on the user having the role of admin.

        if not user.is_superuser:
            raise exceptions.NotAuthorized

https://github.com/openstack/horizon/blob/master/openstack_dashboard/api/keystone.py#L144

For instance if I give access to the list-users call for people with
role "user_lister" this check effectively overrides my policy every
time.

This only happens in horizon, via curl / direct API calls there is no
such interference.

Thoughts?

** Affects: horizon
     Importance: Undecided
         Status: New


** Tags: admin api auth horizon keystone policy rbac role

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1336418

Title:
  Admin auth check seems to override policy rules.

Status in OpenStack Dashboard (Horizon):
  New

Bug description:
  This check for the admin role seems to fly in the face of the RBAC control that keystone now gives us.
  since is_superuser is based solely on the user having the role of admin.

          if not user.is_superuser:
              raise exceptions.NotAuthorized

  https://github.com/openstack/horizon/blob/master/openstack_dashboard/api/keystone.py#L144

  For instance if I give access to the list-users call for people with
  role "user_lister" this check effectively overrides my policy every
  time.

  This only happens in horizon, via curl / direct API calls there is no
  such interference.

  Thoughts?

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1336418/+subscriptions