yahoo-eng-team team mailing list archive

[Elena Ezhova <eezhova@xxxxxxxxxxxx>]

Public bug reported:

If a non-admin user tries to update an attribute, which should be
updated only by admin, from a non-default value to default,  the update
is successfully performed and PolicyNotAuthorized exception is not
raised.

The reason is that when a rule to match for a given action is built
there is a verification that each attribute in a body of the resource is
present and has a non-default value. Thus, if we try to change some
attribute's value to default, it is not considered to be explicitly set
and a corresponding rule is not enforced.

** Affects: neutron
     Importance: Undecided
     Assignee: Elena Ezhova (eezhova)
         Status: New

** Changed in: neutron
     Assignee: (unassigned) => Elena Ezhova (eezhova)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1357379

Title:
  policy adnmin_only rules not enforced when changing value to default

Status in OpenStack Neutron (virtual network service):
  New

Bug description:
  If a non-admin user tries to update an attribute, which should be
  updated only by admin, from a non-default value to default,  the
  update is successfully performed and PolicyNotAuthorized exception is
  not raised.

  The reason is that when a rule to match for a given action is built
  there is a verification that each attribute in a body of the resource
  is present and has a non-default value. Thus, if we try to change some
  attribute's value to default, it is not considered to be explicitly
  set and a corresponding rule is not enforced.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1357379/+subscriptions