← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #36538

[Bug 1481883] [NEW] Glance not honoring context_is_admin in policy.json

  Thread PreviousDate PreviousThread Next 
Public bug reported:

glance/etc/policy.json has the following definition

1 {
2     "context_is_admin":  "role:admin",

{omitted}

However, to demonstrate the problem, if I change the following

{omitted}

8     "get_images": "",

to

8     "get_images": "is_admin:True",

{omitted}

Running "glance image-list" as an admin returns the following error, which tells me that context_is_admin isn't working.
403 Forbidden: Access was denied to this resource. (HTTP 403)

Further code analysis revealed that the the glance policy Enforcer has a
check_is_check(...) method defined, but the logic behind Enforcer
check(...) method is not taking advantage of it.

Fix proposal to follow.

** Affects: glance
     Importance: Undecided
     Assignee: David J Hu (david-j-hu)
         Status: New

** Changed in: glance
     Assignee: (unassigned) => David J Hu (david-j-hu)

** Description changed:

  glance/etc/policy.json has the following definition
  
- 1 { 
- 2     "context_is_admin":  "role:admin", 
+ 1 {
+ 2     "context_is_admin":  "role:admin",
  
  {omitted}
  
  However, to demonstrate the problem, if I change the following
  
  {omitted}
  
- 7     "get_image": "",
+ 8     "get_images": "",
  
  to
  
- 7     "get_image": "is_admin:True",
+ 8     "get_images": "is_admin:True",
  
  {omitted}
- 
  
  Running "glance image-list" as an admin returns the following error, which tells me that context_is_admin isn't working.
  403 Forbidden: Access was denied to this resource. (HTTP 403)
  
  Further code analysis revealed that the the glance policy Enforcer has a
  check_is_check(...) method defined, but the logic behind Enforcer
  check(...) method is not taking advantage of it.
  
  Fix proposal to follow.

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1481883

Title:
  Glance not honoring context_is_admin in policy.json

Status in Glance:
  New

Bug description:
  glance/etc/policy.json has the following definition

  1 {
  2     "context_is_admin":  "role:admin",

  {omitted}

  However, to demonstrate the problem, if I change the following

  {omitted}

  8     "get_images": "",

  to

  8     "get_images": "is_admin:True",

  {omitted}

  Running "glance image-list" as an admin returns the following error, which tells me that context_is_admin isn't working.
  403 Forbidden: Access was denied to this resource. (HTTP 403)

  Further code analysis revealed that the the glance policy Enforcer has
  a check_is_check(...) method defined, but the logic behind Enforcer
  check(...) method is not taking advantage of it.

  Fix proposal to follow.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1481883/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next