yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1389961] Re: Change of policy.json needs restart service

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: reachlin <lincai@xxxxxxxxxx>
Date: Thu, 06 Nov 2014 08:01:31 -0000
Reply-to: Bug 1389961 <1389961@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Sth. is not right on my env. It seems OK on the devstack.

** Changed in: keystone
       Status: New => Invalid

** Information type changed from Public to Private

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1389961

Title:
  Change of policy.json needs restart service

Status in OpenStack Identity (Keystone):
  Invalid

Bug description:
  According to the document: http://docs.openstack.org/openstack-
  ops/content/projects_users.html

  The change on policy file doesn't need service restart. But I find it
  is not true.

  I tried the following on Juno.

  Steps:
  1. Create a user called guest in "Public" tenant and grant "user" role
  2. Login as "guest" and delete a flavor, it succeeds.
  3. Change /etc/nova/policy.json
   "compute_extension:flavormanage": "rule:owner", to "rule:admin"
  4. Try to delete another flavor, access denied.
  5. Restart nova-api, delete succeeds.

  [root@ip]# nova flavor-delete 3
  ERROR (Forbidden): Policy doesn't allow compute_extension:flavormanage to be performed. (HTTP 403) (Request-ID: req-9f8699fe-dba0-4044-ac35-59d09079cbe6)

  [root@ip]#service nova-api restart

  [root@ip]# nova flavor-delete 3
  +----+-----------+-----------+------+-----------+------+-------+-------------+-----------+
  | ID | Name      | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor | Is_Public |
  +----+-----------+-----------+------+-----------+------+-------+-------------+-----------+
  | 3  | m1.medium | 4096      | 40   | 0         |      | 2     | 1.0         | True      |
  +----+-----------+-----------+------+-----------+------+-------+-------------+-----------+
  [root@ip]# nova flavor-list
  +----+----------+-----------+------+-----------+------+-------+-------------+-----------+
  | ID | Name     | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor | Is_Public |
  +----+----------+-----------+------+-----------+------+-------+-------------+-----------+
  | 1  | m1.tiny  | 512       | 1    | 0         |      | 1     | 1.0         | True      |
  | 2  | m1.small | 2048      | 20   | 0         |      | 1     | 1.0         | True      |
  +----+----------+-----------+------+-----------+------+-------+-------------+-----------+

  
  I also tried similar cases on glance policy. The result is the same. If a user remove some privilege from policy.json and doesn't restart service, this bug could cause serious security problems.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1389961/+subscriptions