yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #30395
[Bug 1435855] [NEW] Default rule does not work in ceilometer policy.json
Public bug reported:
The rule default does not work for ceilometer. I tried with few of these
and they don't work. I am able to proceed with the REST apis that are
not mentioned even when the default is set to not_allowed.
"default": "not_allowed:True",
"default": "!",
The problem appears to be here >>/usr/lib/python2.7/site-
packages/ceilometer/api/rbac.py
for rule_name in _ENFORCER.rules.keys():
if rule_method == rule_name:
if not _ENFORCER.enforce(
rule_name,
{},
policy_dict):
pecan.core.abort(status_code=403,
detail='RBAC Authorization Failed')
The rbac.enforce method loops through all the rules and filters the one that matches the one requested for. However , in a case where the rule has not been specified in the policy.json file , there is no logic in the above to fall back on the default value. The default logic is already taken case of by oslo_policy and the above loop seems to be causing the problem.
** Affects: keystone
Importance: Undecided
Assignee: Divya K Konoor (dikonoor)
Status: Incomplete
** Changed in: keystone
Assignee: (unassigned) => Divya K Konoor (dikonoor)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1435855
Title:
Default rule does not work in ceilometer policy.json
Status in OpenStack Identity (Keystone):
Incomplete
Bug description:
The rule default does not work for ceilometer. I tried with few of
these and they don't work. I am able to proceed with the REST apis
that are not mentioned even when the default is set to not_allowed.
"default": "not_allowed:True",
"default": "!",
The problem appears to be here >>/usr/lib/python2.7/site-
packages/ceilometer/api/rbac.py
for rule_name in _ENFORCER.rules.keys():
if rule_method == rule_name:
if not _ENFORCER.enforce(
rule_name,
{},
policy_dict):
pecan.core.abort(status_code=403,
detail='RBAC Authorization Failed')
The rbac.enforce method loops through all the rules and filters the one that matches the one requested for. However , in a case where the rule has not been specified in the policy.json file , there is no logic in the above to fall back on the default value. The default logic is already taken case of by oslo_policy and the above loop seems to be causing the problem.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1435855/+subscriptions
Follow ups
References