yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1577996] Re: Unable to distinguish between not is_admin_project and feature not enabled

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jamie Lennox <jamielennox@xxxxxxxxx>
Date: Tue, 21 Mar 2017 23:46:28 -0000
Reply-to: Bug 1577996 <1577996@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Lance:

So the plan was to maybe add a new rule to oslo.policy like just
is_admin_project or something - however as part of the oslo.context
refactoring and making that common between projects we now have
{'is_admin_project': True/False} as part of most context dicts. This
means that you can enforce policy just as is_admin_project:True in your
policy files.

I guess it would be slightly neater to have this as a policy rule
because it's unlikely you'd ever check for False but it hasn't been a
priority.

Do you think it worth chasing?

** Changed in: oslo.context
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1577996

Title:
  Unable to distinguish between not is_admin_project and feature not
  enabled

Status in OpenStack Identity (keystone):
  Fix Released
Status in keystoneauth:
  Fix Released
Status in keystonemiddleware:
  Fix Released
Status in oslo.context:
  Fix Released
Status in oslo.policy:
  New

Bug description:
  The is_admin_project flag is used in a token to indicate that the
  current token is scoped to a project that is indicated as the admin
  project. Currently this is only added to the token when the
  admin_project is True and nothing added when False.

  From a policy perspective we need to write policy files that are
  backwards compatible, however we cannot determine the difference in
  policy between is_admin_project == False and the admin project not
  being set from config because both result in no flag being set in the
  token.

  If we were to enforce is_admin_project == True on a deployment that
  did not use it this would completely break backwards compatibility as
  the is_admin_project check would never pass.

  To fix this we need to make is_admin_project a required field of a
  token at least when the admin project is set.

  Because the current default is that every project can be the admin
  project, the default value of is_admin_project must be True. For
  deployments that do not configure an admin project we can either set
  is_admin_project=True for every project, or we can exclude the field
  from the token. I think exclude makes sense because the check from a
  policy perspective is going to have to default to True for backwards
  compatibility and you can then tell from a token whether the
  admin_project concept is in use (i'm not sure if this is an
  information leakage problem - please comment on preference).

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1577996/+subscriptions

References

[Bug 1577996] [NEW] Unable to distinguish between not is_admin_project and feature not enabled
From: Jamie Lennox, 2016-05-04