yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1703392] Re: default rule no longer applies with policy in code

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1703392@xxxxxxxxxxxxxxxxxx>
Date: Sat, 22 Jul 2017 01:34:21 -0000
Reply-to: Bug 1703392 <1703392@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/482164
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=fbec8573840c2bf9279c9e955f3fa41f8a788fbb
Submitter: Jenkins
Branch:    master

commit fbec8573840c2bf9279c9e955f3fa41f8a788fbb
Author: Matthew Edmonds <edmondsw@xxxxxxxxxx>
Date:   Mon Jul 10 10:42:29 2017 -0400

    remove default rule
    
    The default rule no longer applies with the move of policy into code
    so this change removes it.
    
    In previous releases, the default rule was used by operators
    customizing policy and not wanting to specify every rule in their
    policy.json. But with the move of policy into code, all checks that
    the code is going to make are defined in code, so there should never
    be an occasion for the default rule to be checked. Leaving it defined
    would confuse operators since it can no longer be used the way it was
    used before.
    
    Change-Id: Idafe1c906f1eb188200eab7af3eae8eb86c8154a
    Closes-Bug: #1703392


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1703392

Title:
  default rule no longer applies with policy in code

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  The following should not exist in keystone/common/policies/base.py:

      policy.RuleDefault(
          name='default',
          check_str='rule:admin_required')

  because a default rule should no longer apply with policy in code. If
  we've correctly defined all policy rules in code, then we'll never
  have a case where code is checking a rule that can't be found, which
  is when the default rule is checked.

  In previous releases, some operators who override policy used the
  default rule to restrict all rules that they (intentionally) omitted
  from their policy.json. This shortened those files, and protected them
  if keystone added new policy checks until/unless they decided to open
  things up more widely. Leaving the default rule defined now that
  policy is in code will confuse this kind of operator (and possibly
  others) who haven't thought it through and realized that the default
  rule can't be used like that anymore because it won't be checked just
  because you didn't define another rule in policy.json.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1703392/+subscriptions

References

[Bug 1703392] [NEW] default rule no longer applies with policy in code
From: Matthew Edmonds, 2017-07-10