yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1708508] [NEW] os-server-groups policy rules are wrong

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Matt Riedemann <mriedem.os@xxxxxxxxx>
Date: Thu, 03 Aug 2017 18:27:13 -0000
Reply-to: Bug 1708508 <1708508@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

Before policy was moved into code in Newton, the os-server-groups API
actions had only two policy rules:

"os_compute_api:os-server-groups": "rule:admin_or_owner",
"os_compute_api:os-server-groups:discoverable": "@",

With this change in Ocata:

https://review.openstack.org/#/c/391113/

The actual actions now have granular policy checks
(create/delete/index/show).

The problem is the effective policy check on those went from 
"os_compute_api:os-server-groups" which was rule:admin_or_owner to this:

"os_compute_api:os-server-groups:create": "rule:os_compute_api:os-server-groups"
"os_compute_api:os-server-groups:delete": "rule:os_compute_api:os-server-groups"
"os_compute_api:os-server-groups:index": "rule:os_compute_api:os-server-groups"
"os_compute_api:os-server-groups:show": "rule:os_compute_api:os-server-groups"

And "rule:os_compute_api:os-server-groups" is not a real rule, and is
backward incompatible. I don't really know what oslo.policy does if a
rule is used which is not defined.

I know the admin_or_only rule is defined here:

#"admin_or_owner": "is_admin:True or project_id:%(project_id)s"

But there is no rule defined for "os_compute_api:os-server-groups".

** Affects: nova
     Importance: Undecided
         Status: Invalid

** Changed in: nova
       Status: New => Triaged

** Changed in: nova
       Status: Triaged => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1708508

Title:
  os-server-groups policy rules are wrong

Status in OpenStack Compute (nova):
  Invalid

Bug description:
  Before policy was moved into code in Newton, the os-server-groups API
  actions had only two policy rules:

  "os_compute_api:os-server-groups": "rule:admin_or_owner",
  "os_compute_api:os-server-groups:discoverable": "@",

  With this change in Ocata:

  https://review.openstack.org/#/c/391113/

  The actual actions now have granular policy checks
  (create/delete/index/show).

  The problem is the effective policy check on those went from 
  "os_compute_api:os-server-groups" which was rule:admin_or_owner to this:

  "os_compute_api:os-server-groups:create": "rule:os_compute_api:os-server-groups"
  "os_compute_api:os-server-groups:delete": "rule:os_compute_api:os-server-groups"
  "os_compute_api:os-server-groups:index": "rule:os_compute_api:os-server-groups"
  "os_compute_api:os-server-groups:show": "rule:os_compute_api:os-server-groups"

  And "rule:os_compute_api:os-server-groups" is not a real rule, and is
  backward incompatible. I don't really know what oslo.policy does if a
  rule is used which is not defined.

  I know the admin_or_only rule is defined here:

  #"admin_or_owner": "is_admin:True or project_id:%(project_id)s"

  But there is no rule defined for "os_compute_api:os-server-groups".

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1708508/+subscriptions