yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1703392] [NEW] default rule no longer applies with policy in code

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Matthew Edmonds <edmondsw@xxxxxxxxxx>
Date: Mon, 10 Jul 2017 14:39:41 -0000
Reply-to: Bug 1703392 <1703392@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

The following should not exist in keystone/common/policies/base.py:

    policy.RuleDefault(
        name='default',
        check_str='rule:admin_required')

because a default rule should no longer apply with policy in code. If
we've correctly defined all policy rules in code, then we'll never have
a case where code is checking a rule that can't be found, which is when
the default rule is checked.

In previous releases, some operators who override policy used the
default rule to restrict all rules that they (intentionally) omitted
from their policy.json. This shortened those files, and protected them
if keystone added new policy checks until/unless they decided to open
things up more widely. Leaving the default rule defined now that policy
is in code will confuse this kind of operator (and possibly others) who
haven't thought it through and realized that the default rule can't be
used like that anymore because it won't be checked just because you
didn't define another rule in policy.json.

** Affects: keystone
     Importance: Undecided
     Assignee: Matthew Edmonds (edmondsw)
         Status: In Progress

** Changed in: keystone
     Assignee: (unassigned) => Matthew Edmonds (edmondsw)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1703392

Title:
  default rule no longer applies with policy in code

Status in OpenStack Identity (keystone):
  In Progress

Bug description:
  The following should not exist in keystone/common/policies/base.py:

      policy.RuleDefault(
          name='default',
          check_str='rule:admin_required')

  because a default rule should no longer apply with policy in code. If
  we've correctly defined all policy rules in code, then we'll never
  have a case where code is checking a rule that can't be found, which
  is when the default rule is checked.

  In previous releases, some operators who override policy used the
  default rule to restrict all rules that they (intentionally) omitted
  from their policy.json. This shortened those files, and protected them
  if keystone added new policy checks until/unless they decided to open
  things up more widely. Leaving the default rule defined now that
  policy is in code will confuse this kind of operator (and possibly
  others) who haven't thought it through and realized that the default
  rule can't be used like that anymore because it won't be checked just
  because you didn't define another rule in policy.json.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1703392/+subscriptions

Follow ups

[Bug 1703392] Re: default rule no longer applies with policy in code
From: OpenStack Infra, 2017-07-22