yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1384377] [NEW] Policy rule position errors

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Andre Aranha <afaranha@xxxxxxxxxxxxxxx>
Date: Wed, 22 Oct 2014 18:38:16 -0000
Reply-to: Bug 1384377 <1384377@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

In the policy.v3cloudsample.json there is the rule "admin_or_owner" that
is defined as "(rule:admin_required and
domain_id:%(target.token.user.domain.id)s) or rule:owner", and the tests
for it (
https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L7
) , specially this
keystone.tests.test_v3_auth.TestTokenRevokeSelfAndAdmin.test_user_revokes_own_token
shows it's working as expected. The rule "admin_required" is defined
only as "role:admin" (
https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L2
), so I changed the rule "admin_or_owner" to "(role:admin and
domain_id:%(target.token.user.domain.id)s) or rule:owner" and the test
raises a error saying that the user has no permission to do the action.
As it's the same rule, it wasn't suppose to raise errors. But it doesn't
stop there, when I rearrange the rule order to be like this:
"admin_or_owner": "rule:owner or (role:admin and
domain_id:%(target.token.user.domain.id)s)" it works.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1384377

Title:
  Policy rule position errors

Status in OpenStack Identity (Keystone):
  New

Bug description:
  In the policy.v3cloudsample.json there is the rule "admin_or_owner"
  that is defined as "(rule:admin_required and
  domain_id:%(target.token.user.domain.id)s) or rule:owner", and the
  tests for it (
  https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L7
  ) , specially this
  keystone.tests.test_v3_auth.TestTokenRevokeSelfAndAdmin.test_user_revokes_own_token
  shows it's working as expected. The rule "admin_required" is defined
  only as "role:admin" (
  https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L2
  ), so I changed the rule "admin_or_owner" to "(role:admin and
  domain_id:%(target.token.user.domain.id)s) or rule:owner" and the test
  raises a error saying that the user has no permission to do the
  action. As it's the same rule, it wasn't suppose to raise errors. But
  it doesn't stop there, when I rearrange the rule order to be like
  this: "admin_or_owner": "rule:owner or (role:admin and
  domain_id:%(target.token.user.domain.id)s)" it works.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1384377/+subscriptions

Follow ups

[Bug 1384377] Re: Policy rule position errors
From: Steve Martinelli, 2016-10-03
[Bug 1384377] Re: Policy rule position errors
From: Morgan Fainberg, 2015-01-12
[Bug 1384377] [NEW] Policy rule position errors
From: Andre Aranha, 2014-10-22

References

[Bug 1384377] [NEW] Policy rule position errors
From: Andre Aranha, 2014-10-22