← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1445690] [NEW] "legacy" admin rule does not work and is not needed anymore

 

Public bug reported:

in neutron/policy.py:

def check_is_admin(context):
    """Verify context has admin rights according to policy settings."""
    init()
    # the target is user-self
    credentials = context.to_dict()
    target = credentials
    # Backward compatibility: if ADMIN_CTX_POLICY is not
    # found, default to validating role:admin
    admin_policy = (ADMIN_CTX_POLICY if ADMIN_CTX_POLICY in _ENFORCER.rules
                    else 'role:admin')
    return _ENFORCER.enforce(admin_policy, target, credentials)

if ADMIN_CTX_POLICY is not specified the enforcer checks role:admin,
which since it does not exist among rules loaded from file, defaults to
TrueCheck. This is wrong, and to an extent even dangerous because if
ADMIN_CTX_POLICY is missing, then every context would be regarded as an
admin context. Thankfully this was only for backward compatibility and
is not necessary anymore.

A similar mistake is done for ADVSVC_CTX_POLICY. This is even more
puzzling because there was no backward compatibility requirmeent there,

Obviously the unit tests supposed to ensure the correct behaviour of the
backward compatibility tweak are validating something completely
different.

** Affects: neutron
     Importance: Medium
     Assignee: Salvatore Orlando (salvatore-orlando)
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1445690

Title:
  "legacy" admin rule does not work and is not needed anymore

Status in OpenStack Neutron (virtual network service):
  New

Bug description:
  in neutron/policy.py:

  def check_is_admin(context):
      """Verify context has admin rights according to policy settings."""
      init()
      # the target is user-self
      credentials = context.to_dict()
      target = credentials
      # Backward compatibility: if ADMIN_CTX_POLICY is not
      # found, default to validating role:admin
      admin_policy = (ADMIN_CTX_POLICY if ADMIN_CTX_POLICY in _ENFORCER.rules
                      else 'role:admin')
      return _ENFORCER.enforce(admin_policy, target, credentials)

  if ADMIN_CTX_POLICY is not specified the enforcer checks role:admin,
  which since it does not exist among rules loaded from file, defaults
  to TrueCheck. This is wrong, and to an extent even dangerous because
  if ADMIN_CTX_POLICY is missing, then every context would be regarded
  as an admin context. Thankfully this was only for backward
  compatibility and is not necessary anymore.

  A similar mistake is done for ADVSVC_CTX_POLICY. This is even more
  puzzling because there was no backward compatibility requirmeent
  there,

  Obviously the unit tests supposed to ensure the correct behaviour of
  the backward compatibility tweak are validating something completely
  different.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1445690/+subscriptions


Follow ups

References