yahoo-eng-team team mailing list archive

[Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>]

** Changed in: neutron
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1445690

Title:
  "legacy" admin rule does not work and is not needed anymore

Status in OpenStack Neutron (virtual network service):
  Fix Released

Bug description:
  in neutron/policy.py:

  def check_is_admin(context):
      """Verify context has admin rights according to policy settings."""
      init()
      # the target is user-self
      credentials = context.to_dict()
      target = credentials
      # Backward compatibility: if ADMIN_CTX_POLICY is not
      # found, default to validating role:admin
      admin_policy = (ADMIN_CTX_POLICY if ADMIN_CTX_POLICY in _ENFORCER.rules
                      else 'role:admin')
      return _ENFORCER.enforce(admin_policy, target, credentials)

  if ADMIN_CTX_POLICY is not specified the enforcer checks role:admin,
  which since it does not exist among rules loaded from file, defaults
  to TrueCheck. This is wrong, and to an extent even dangerous because
  if ADMIN_CTX_POLICY is missing, then every context would be regarded
  as an admin context. Thankfully this was only for backward
  compatibility and is not necessary anymore.

  A similar mistake is done for ADVSVC_CTX_POLICY. This is even more
  puzzling because there was no backward compatibility requirmeent
  there,

  Obviously the unit tests supposed to ensure the correct behaviour of
  the backward compatibility tweak are validating something completely
  different.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1445690/+subscriptions