yahoo-eng-team team mailing list archive

[Matthew Edmonds <edmondsw@xxxxxxxxxx>]

** Also affects: ceilometer
   Importance: Undecided
       Status: New

** No longer affects: ceilometer

** Project changed: keystone => ceilometer

** Changed in: ceilometer
       Status: Incomplete => New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1435855

Title:
  Default rule does not work in ceilometer policy.json

Status in OpenStack Telemetry (Ceilometer):
  In Progress

Bug description:
  The rule default does not work for ceilometer. I tried with few of
  these and they don't work. I am able to proceed with the REST apis
  that are not mentioned even when the default is set to not_allowed.

  "default": "not_allowed:True",
  "default": "!",

  The problem appears to be here >>/usr/lib/python2.7/site-
  packages/ceilometer/api/rbac.py

      for rule_name in _ENFORCER.rules.keys():
          if rule_method == rule_name:
              if not _ENFORCER.enforce(
                      rule_name,
                      {},
                      policy_dict):
                  pecan.core.abort(status_code=403,
                                   detail='RBAC Authorization Failed')

  
  The rbac.enforce method loops through all the rules and filters the one that matches the one requested for. However , in a case where the rule has not been specified in the policy.json file , there is no logic in the above to fall back on the default value. The default logic is already taken case of by oslo_policy and the above loop seems to be causing the problem.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ceilometer/+bug/1435855/+subscriptions