← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1435855] [NEW] Default rule does not work in ceilometer policy.json

 

Public bug reported:

The rule default does not work for ceilometer. I tried with few of these
and they don't work. I am able to proceed with the REST apis that are
not mentioned even when the default is set to not_allowed.

"default": "not_allowed:True",
"default": "!",

The problem appears to be here >>/usr/lib/python2.7/site-
packages/ceilometer/api/rbac.py

    for rule_name in _ENFORCER.rules.keys():
        if rule_method == rule_name:
            if not _ENFORCER.enforce(
                    rule_name,
                    {},
                    policy_dict):
                pecan.core.abort(status_code=403,
                                 detail='RBAC Authorization Failed')


The rbac.enforce method loops through all the rules and filters the one that matches the one requested for. However , in a case where the rule has not been specified in the policy.json file , there is no logic in the above to fall back on the default value. The default logic is already taken case of by oslo_policy and the above loop seems to be causing the problem.

** Affects: keystone
     Importance: Undecided
     Assignee: Divya K Konoor (dikonoor)
         Status: Incomplete

** Changed in: keystone
     Assignee: (unassigned) => Divya K Konoor (dikonoor)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1435855

Title:
  Default rule does not work in ceilometer policy.json

Status in OpenStack Identity (Keystone):
  Incomplete

Bug description:
  The rule default does not work for ceilometer. I tried with few of
  these and they don't work. I am able to proceed with the REST apis
  that are not mentioned even when the default is set to not_allowed.

  "default": "not_allowed:True",
  "default": "!",

  The problem appears to be here >>/usr/lib/python2.7/site-
  packages/ceilometer/api/rbac.py

      for rule_name in _ENFORCER.rules.keys():
          if rule_method == rule_name:
              if not _ENFORCER.enforce(
                      rule_name,
                      {},
                      policy_dict):
                  pecan.core.abort(status_code=403,
                                   detail='RBAC Authorization Failed')

  
  The rbac.enforce method loops through all the rules and filters the one that matches the one requested for. However , in a case where the rule has not been specified in the policy.json file , there is no logic in the above to fall back on the default value. The default logic is already taken case of by oslo_policy and the above loop seems to be causing the problem.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1435855/+subscriptions


Follow ups

References