yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #26101
[Bug 1336418] Re: Admin auth check seems to override policy rules.
** Changed in: horizon
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1336418
Title:
Admin auth check seems to override policy rules.
Status in OpenStack Dashboard (Horizon):
Fix Released
Bug description:
This check for the admin role seems to fly in the face of the RBAC control that keystone now gives us.
since is_superuser is based solely on the user having the role of admin.
if not user.is_superuser:
raise exceptions.NotAuthorized
https://github.com/openstack/horizon/blob/master/openstack_dashboard/api/keystone.py#L144
For instance if I give access to the list-users call for people with
role "user_lister" this check effectively overrides my policy every
time.
This only happens in horizon, via curl / direct API calls there is no
such interference.
Thoughts?
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1336418/+subscriptions
References