yahoo-eng-team team mailing list archive

[Steve Martinelli <1384377@xxxxxxxxxxxxxxxxxx>]

*** This bug is a duplicate of bug 1523030 ***
    https://bugs.launchpad.net/bugs/1523030

This is fixed by https://review.openstack.org/#/c/253763/

** This bug has been marked a duplicate of bug 1523030
   parser can't handle mixed conditions of 'or' and 'and' operators

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1384377

Title:
  Policy rule position errors

Status in OpenStack Identity (keystone):
  Invalid
Status in oslo.policy:
  Triaged

Bug description:
  In the policy.v3cloudsample.json there is the rule "admin_or_owner"
  that is defined as "(rule:admin_required and
  domain_id:%(target.token.user.domain.id)s) or rule:owner", and the
  tests for it (
  https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L7
  ) , specially this
  keystone.tests.test_v3_auth.TestTokenRevokeSelfAndAdmin.test_user_revokes_own_token
  shows it's working as expected. The rule "admin_required" is defined
  only as "role:admin" (
  https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L2
  ), so I changed the rule "admin_or_owner" to "(role:admin and
  domain_id:%(target.token.user.domain.id)s) or rule:owner" and the test
  raises a error saying that the user has no permission to do the
  action. As it's the same rule, it wasn't suppose to raise errors. But
  it doesn't stop there, when I rearrange the rule order to be like
  this: "admin_or_owner": "rule:owner or (role:admin and
  domain_id:%(target.token.user.domain.id)s)" it works.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1384377/+subscriptions