yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #26796
[Bug 1384377] Re: Policy rule position errors
This is not a keystone bug.
** Also affects: oslo.policy
Importance: Undecided
Status: New
** Changed in: keystone
Status: New => Invalid
** Changed in: oslo.policy
Status: New => Triaged
** Changed in: oslo.policy
Importance: Undecided => Medium
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1384377
Title:
Policy rule position errors
Status in OpenStack Identity (Keystone):
Invalid
Status in Oslo Policy:
Triaged
Bug description:
In the policy.v3cloudsample.json there is the rule "admin_or_owner"
that is defined as "(rule:admin_required and
domain_id:%(target.token.user.domain.id)s) or rule:owner", and the
tests for it (
https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L7
) , specially this
keystone.tests.test_v3_auth.TestTokenRevokeSelfAndAdmin.test_user_revokes_own_token
shows it's working as expected. The rule "admin_required" is defined
only as "role:admin" (
https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L2
), so I changed the rule "admin_or_owner" to "(role:admin and
domain_id:%(target.token.user.domain.id)s) or rule:owner" and the test
raises a error saying that the user has no permission to do the
action. As it's the same rule, it wasn't suppose to raise errors. But
it doesn't stop there, when I rearrange the rule order to be like
this: "admin_or_owner": "rule:owner or (role:admin and
domain_id:%(target.token.user.domain.id)s)" it works.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1384377/+subscriptions
References
