yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #32073
[Bug 1445690] [NEW] "legacy" admin rule does not work and is not needed anymore
Public bug reported:
in neutron/policy.py:
def check_is_admin(context):
"""Verify context has admin rights according to policy settings."""
init()
# the target is user-self
credentials = context.to_dict()
target = credentials
# Backward compatibility: if ADMIN_CTX_POLICY is not
# found, default to validating role:admin
admin_policy = (ADMIN_CTX_POLICY if ADMIN_CTX_POLICY in _ENFORCER.rules
else 'role:admin')
return _ENFORCER.enforce(admin_policy, target, credentials)
if ADMIN_CTX_POLICY is not specified the enforcer checks role:admin,
which since it does not exist among rules loaded from file, defaults to
TrueCheck. This is wrong, and to an extent even dangerous because if
ADMIN_CTX_POLICY is missing, then every context would be regarded as an
admin context. Thankfully this was only for backward compatibility and
is not necessary anymore.
A similar mistake is done for ADVSVC_CTX_POLICY. This is even more
puzzling because there was no backward compatibility requirmeent there,
Obviously the unit tests supposed to ensure the correct behaviour of the
backward compatibility tweak are validating something completely
different.
** Affects: neutron
Importance: Medium
Assignee: Salvatore Orlando (salvatore-orlando)
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1445690
Title:
"legacy" admin rule does not work and is not needed anymore
Status in OpenStack Neutron (virtual network service):
New
Bug description:
in neutron/policy.py:
def check_is_admin(context):
"""Verify context has admin rights according to policy settings."""
init()
# the target is user-self
credentials = context.to_dict()
target = credentials
# Backward compatibility: if ADMIN_CTX_POLICY is not
# found, default to validating role:admin
admin_policy = (ADMIN_CTX_POLICY if ADMIN_CTX_POLICY in _ENFORCER.rules
else 'role:admin')
return _ENFORCER.enforce(admin_policy, target, credentials)
if ADMIN_CTX_POLICY is not specified the enforcer checks role:admin,
which since it does not exist among rules loaded from file, defaults
to TrueCheck. This is wrong, and to an extent even dangerous because
if ADMIN_CTX_POLICY is missing, then every context would be regarded
as an admin context. Thankfully this was only for backward
compatibility and is not necessary anymore.
A similar mistake is done for ADVSVC_CTX_POLICY. This is even more
puzzling because there was no backward compatibility requirmeent
there,
Obviously the unit tests supposed to ensure the correct behaviour of
the backward compatibility tweak are validating something completely
different.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1445690/+subscriptions
Follow ups
References