yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #23341
[Bug 1376751] Re: Policy rule "context_is_admin" is checked instead of "admin_api"
Agreed with Christopher, there is no Nova codepath that is wrongly
interpreting the rules. Here, either it's an Oslo.policy issue or maybe
something invalid.
Closing it as invalid for Nova, feel free to affect Oslo if you consider
it still valid.
** Changed in: nova
Status: New => Invalid
** Changed in: nova
Assignee: Sylvain Bauza (sylvain-bauza) => (unassigned)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1376751
Title:
Policy rule "context_is_admin" is checked instead of "admin_api"
Status in OpenStack Compute (Nova):
Invalid
Bug description:
When trying to allow a user with role "domain_admin" to list Hypervisors ( "compute_extension:hypervisors": "rule:admin_api" ), I modified the rule "admin_api" to also accepts the new role ( "admin_api": "is_admin:True or role:domain_admin" ). After this I was still unable to list the hypervisors and got the error: "ERROR (Forbidden): User does not have admin privileges (HTTP 403) (Request-ID: req-11ba9712-adff-42fa-b1f2-90532c4a77f1)".
After trying to modified the rule "context_is_admin" ( "context_is_admin": "role:admin or role:domain_admin") listing the hypervisors worked.
The rule "admin_api" is not working as it should, maybe there is a hard-coded check on Nova code that only enforce a set of operations woth the rule "context_is_admin"
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1376751/+subscriptions
References