yahoo-eng-team team mailing list archive

[Sylvain Bauza <sbauza@xxxxxxx>]

Agreed with Christopher, there is no Nova codepath that is wrongly
interpreting the rules. Here, either it's an Oslo.policy issue or maybe
something invalid.

Closing it as invalid for Nova, feel free to affect Oslo if you consider
it still valid.

** Changed in: nova
       Status: New => Invalid

** Changed in: nova
     Assignee: Sylvain Bauza (sylvain-bauza) => (unassigned)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1376751

Title:
  Policy rule "context_is_admin" is checked instead of "admin_api"

Status in OpenStack Compute (Nova):
  Invalid

Bug description:
  When trying to allow a user with role "domain_admin" to list Hypervisors ( "compute_extension:hypervisors": "rule:admin_api" ), I modified the rule "admin_api" to also accepts the new role ( "admin_api": "is_admin:True or role:domain_admin" ). After this I was still unable to list the hypervisors and got the error: "ERROR (Forbidden): User does not have admin privileges (HTTP 403) (Request-ID: req-11ba9712-adff-42fa-b1f2-90532c4a77f1)".
  After trying to modified the rule "context_is_admin" ( "context_is_admin":  "role:admin or role:domain_admin") listing the hypervisors worked.
  The rule "admin_api" is not working as it should, maybe there is a hard-coded check on Nova code that only enforce a set of operations woth the rule "context_is_admin"

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1376751/+subscriptions