← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #22970

[Bug 1376751] [NEW] Policy rule "context_is_admin" is checked instead of "admin_api"

  Thread PreviousDate PreviousThread Next 
Public bug reported:

When trying to allow a user with role "domain_admin" to list Hypervisors ( "compute_extension:hypervisors": "rule:admin_api" ), I modified the rule "admin_api" to also accepts the new role ( "admin_api": "is_admin:True or role:domain_admin" ). After this I was still unable to list the hypervisors and got the error: "ERROR (Forbidden): User does not have admin privileges (HTTP 403) (Request-ID: req-11ba9712-adff-42fa-b1f2-90532c4a77f1)".
After trying to modified the rule "context_is_admin" ( "context_is_admin":  "role:admin or role:domain_admin") listing the hypervisors worked.
The rule "admin_api" is not working as it should, maybe there is a hard-coded check on Nova code that only enforce a set of operations woth the rule "context_is_admin"

** Affects: nova
     Importance: Undecided
     Assignee: Sylvain Bauza (sylvain-bauza)
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1376751

Title:
  Policy rule "context_is_admin" is checked instead of "admin_api"

Status in OpenStack Compute (Nova):
  New

Bug description:
  When trying to allow a user with role "domain_admin" to list Hypervisors ( "compute_extension:hypervisors": "rule:admin_api" ), I modified the rule "admin_api" to also accepts the new role ( "admin_api": "is_admin:True or role:domain_admin" ). After this I was still unable to list the hypervisors and got the error: "ERROR (Forbidden): User does not have admin privileges (HTTP 403) (Request-ID: req-11ba9712-adff-42fa-b1f2-90532c4a77f1)".
  After trying to modified the rule "context_is_admin" ( "context_is_admin":  "role:admin or role:domain_admin") listing the hypervisors worked.
  The rule "admin_api" is not working as it should, maybe there is a hard-coded check on Nova code that only enforce a set of operations woth the rule "context_is_admin"

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1376751/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next