yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1804073] Re: Keystone fails to log policy target data

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Adam Young <1804073@xxxxxxxxxxxxxxxxxx>
Date: Tue, 20 Nov 2018 21:13:59 -0000
Reply-to: Bug 1804073 <1804073@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Added Oslo.policy to the bug report, as this is going to be an issue
across all of the projects.  Barbican, especially, needs target info,
but the same is true for anything that enforces the scope check.

** Also affects: oslo.policy
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1804073

Title:
  Keystone fails to log policy target data

Status in OpenStack Identity (keystone):
  New
Status in oslo.policy:
  New

Bug description:
  The Oslo Policy Enforcer requires 3 pieces of run-time information in
  addition to the policy rules to issue a RBAC decision:

  1) the name of the rule to be evaluated (called target in the oslo-policy doc)
  2) the auth context (called credentials in the oslo-policy doc)
  3) the target data (resource data relevant to the rule)

  If you are trying to debug policy enforcement or simply validate your
  policy works as expect one can use the oslopolicy-checker tool. But
  the oslopolicy-checker tool needs the *exact* same data keystone
  passes to the policy enforcement engine.

  The fact the target data needs to be logged but isn't is captured in
  this comment from Henry Nash in authorize.py

      # TODO(henry-nash) need to log the target attributes as well

  https://github.com/openstack/keystone/blob/stable/rocky/keystone/common/authorization.py#L139

  But that is not the best location to log, the best place is where
  oslo.policy is called to evaluate a policy rule, that occurs in
  Policy.enforce() in keystone/policy/backends/policy.py

  https://github.com/openstack/keystone/blob/stable/rocky/keystone/policy/backends/rules.py#L29:#L34

  Here we can see it logs the rule name (e.g. action) and the auth
  context (credentials)

  msg = 'enforce %(action)s: %(credentials)s'

  but the target data is not logged.

  Besides the fact the target data is not logged is the fact the logging
  relies on Python's str() method to convert an object into a string
  representation. This has two problems, 1) all contained objects must
  also have __str__() methods that fully log their contents, 2) the
  formatting is often in Python's "representation" style which only
  humans and Python can parse.

  Since both the credential and targets parameters to the enforce method
  are dicts (with arbitrary complex nesting) and the fact JSON is the
  data format we use for data exchange and the format used by
  oslopolicy-checker it makes sense to log the enforcement parameters in
  JSON format. This way no data is lost (because there wasn't an
  appropriate formatter for the object) and it makes it easy import the
  data to another tool (again, without loss of data).

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1804073/+subscriptions

References

[Bug 1804073] [NEW] Keystone fails to log policy target data
From: John Dennis, 2018-11-19