yahoo-eng-team team mailing list archive

[OpenStack Infra <1703467@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.openstack.org/482359
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=fa88f6844873b53065123b6b4c311c8fd94ede4d
Submitter: Jenkins
Branch:    master

commit fa88f6844873b53065123b6b4c311c8fd94ede4d
Author: Matthew Edmonds <edmondsw@xxxxxxxxxx>
Date:   Mon Jul 10 18:51:52 2017 -0400

    fix assert_admin
    
    The assert_admin method was broken by an earlier Pike commit [1]
    which caused it to check for the "identity:admin_required" policy
    rule (which is not defined) instead of the "admin_required" rule.
    This changes check_policy to take the action instead of a function
    name, allowing the caller to decide whether they want to prepend
    "identity:" or not.
    
    [1] 40c118d6ba94b15d6f66da618e1d368a0f876340
    
    Change-Id: Ief05967361959a0bd194af3e77af198936e4a71f
    Closes-Bug: #1703467


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1703467

Title:
  assert_admin is checking default policy rule not admin_required

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  https://github.com/openstack/keystone/commit/40c118d6ba94b15d6f66da618e1d368a0f876340
  broke all places calling assert_admin. Previously, assert_admin
  checked the "admin_required" rule. With that change, assert_admin now
  checks the "identity:admin_required" rule. That rule is not defined,
  so what actually gets checked is the default rule. We must fix this
  before shipping Pike to avoid breaking backward compatibility.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1703467/+subscriptions