yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #44706
[Bug 1505831] Re: Pecan: policy evaluation error can trigger 500 response
Reviewed: https://review.openstack.org/234457
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=293c3e01efce74d110ff34703a9e68ce2cd782e6
Submitter: Jenkins
Branch: master
commit 293c3e01efce74d110ff34703a9e68ce2cd782e6
Author: Salvatore Orlando <salv.orlando@xxxxxxxxx>
Date: Tue Oct 13 15:08:47 2015 -0700
Pecan: Fixes and tests for the policy enforcement hook
As PolicyNotAuthorizedException is raised in a hook, the
ExceptionTranslationHook is not invoked for it; therefore a 500
response is returned whereas a 403 was expected. This patch
explicitly handles the exception in the hook in order to ensure
the appropriate response code is returned.
Moreover, the structure of the 'before' hook prevented checks
on DELETE requests from being performed. As a result the check
was not performed at all (checks on the 'after' hook only pertain
GET requests). This patch changes the logic of the 'before' hook
by ensuring the item to authorize acces to is loaded both on PUT
and DELETE requests.
This patch also adds functional tests specific for the policy
enforcement hook.
Change-Id: I8c76cb05568df47648cff71a107cfe701b286bb7
Closes-Bug: #1520180
Closes-Bug: #1505831
** Changed in: neutron
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1505831
Title:
Pecan: policy evaluation error can trigger 500 response
Status in neutron:
Fix Released
Bug description:
in [1] if policy_method == enforce an PolicyNotAuthorizedException is triggered.
However, the exception translation hook is not called, most likely because the on_error hook is not installed on other policy hooks.
This might be logical and should therefore not be considered a pecan bug.
The policy hook should take this into account and handle the
exception.
[1]
http://git.openstack.org/cgit/openstack/neutron/tree/neutron/pecan_wsgi/hooks/policy_enforcement.py#n94
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1505831/+subscriptions
References