yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1865117] Re: fatal=False in context.can() impact the policy-defaults-refresh to get expect tests results

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Ghanshyam Mann <gmann@xxxxxxxxxxxxxxxxx>
Date: Fri, 06 Mar 2020 17:59:13 -0000
Reply-to: Bug 1865117 <1865117@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

as discussed on review, we should not change the fetal=false, instead we
can adjust the test to verify the things. In this case, we should use
the response to verify the policy enforcement not 403.

** Changed in: nova
       Status: In Progress => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1865117

Title:
  fatal=False in context.can() impact the policy-defaults-refresh to get
  expect tests results

Status in OpenStack Compute (nova):
  Invalid

Bug description:
  While we do policy-defaults-refresh feature of os-instance-actions show API [1].
  We should test the authorized contexts and the unauthorized contexts, and check the PolicyNotAuthorized [2].
  If we set fatal=False in context.can(), we will not get the PolicyNotAuthorized exception (e.g.[1]) [3], so we should adjust the judgment strategy when context.can() is used as a condition.

  [1]https://github.com/openstack/nova/blob/master/nova/api/openstack/compute/instance_actions.py#L161
  [2]https://github.com/openstack/nova/blob/master/nova/tests/unit/policies/base.py#L96-L101
  [3]https://review.opendev.org/#/c/707777/2/nova/tests/unit/policies/test_instance_actions.py@131

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1865117/+subscriptions

References

[Bug 1865117] [NEW] fatal=False in context.can() impact the policy-defaults-refresh to get expect tests results
From: Brin Zhang, 2020-02-28