yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1739108] Re: api.keystone.is_cloud_admin/is_domain_admin do not work with the latest policy from keystone repo

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1739108@xxxxxxxxxxxxxxxxxx>
Date: Sat, 20 Jan 2018 07:20:43 -0000
Reply-to: Bug 1739108 <1739108@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/530488
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=54365d7ef1007b3c8373ecb4e591c7f899dbeb98
Submitter: Zuul
Branch:    master

commit 54365d7ef1007b3c8373ecb4e591c7f899dbeb98
Author: Radomir Dopieralski <openstack@xxxxxxxxxxxx>
Date:   Fri Dec 29 18:33:20 2017 +0100

    Fix api.keystone.is_cloud_admin/is_domain_admin handling with new policies
    
    Allow an action if no policy exists for it and there is no default
    policy.
    
    Change-Id: Ief6dc5ff15a83c70ee171774d1bfc6470c0863d1
    Closes-bug: 1739108


** Changed in: horizon
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1739108

Title:
  api.keystone.is_cloud_admin/is_domain_admin do not work with the
  latest policy from keystone repo

Status in OpenStack Dashboard (Horizon):
  Fix Released

Bug description:
  openstack_dashboard.api.keystone.is_cloud_admin and is_domain_admin do
  not work with the policy files generated from the latest master branch
  (queens) of the keystone repository (For example, keystone commit
  cfbc2aa30b7406b4bc77e40a55561d1f46174b5c).

  During the policy-in-code work, keystone drops "default" policy (which
  was "rule:admin_required").

  is_cloud_admin() and is_domain_admin() refer to "cloud_admin" and "admin_and_matching_domain_id" policies respectively. They are not defined in the default keystone policy. 
  Previously a policy check fallbacks to "default" rule (i.e., "admin_required") and as a result both Is_cloud_admin() and is_domain_admin() checks "admin_required".

  Now the keystone default policy has no "default" rule. As a result
  is_cloud_admin() and is_doman_admin() always returns False. This means
  some admin-ness panels do not work.

  IIUC, the horizon policy framework intend to work with the default policies from back-end services.
  The current situation should be fixed until Queens release.

  [1]
  https://github.com/openstack/horizon/blob/0f598182919df31e40c7630ee1bd42bea259310d/openstack_dashboard/api/keystone.py#L325-L331

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1739108/+subscriptions

References

[Bug 1739108] [NEW] api.keystone.is_cloud_admin/is_domain_admin do not work with the latest policy from keystone repo
From: Akihiro Motoki, 2017-12-19