yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1955674] [NEW] openstack dashboard conf policies don't match service default policies

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Drew Freiberger <1955674@xxxxxxxxxxxxxxxxxx>
Date: Thu, 23 Dec 2021 18:48:27 -0000
Reply-to: Bug 1955674 <1955674@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

When investigating the status of policy updates in an Ussuri cloud as
relates to the Consistent and Secure Default Policies project, I found
that the nova_policy.json file does not match the contents of the nova
policy defaults generated by the oslo policy generator.

This ultimately results in requests made in horizon being allowed when
the CLI/API policy would not allow the same actions for new "reader"
role.

To reproduce, compare the differences of the output of the following command to the packaged nova_policy.json.
 
oslopolicy-policy-generator --namespace nova

https://opendev.org/openstack/horizon/src/branch/stable/ussuri/openstack_dashboard/conf/nova_policy.json

References:
https://wiki.openstack.org/wiki/Consistent_and_Secure_Default_Policies_Popup_Team

It appears it wasn't until the Wallaby release that Openstack dashboard
refreshed the default policies to match the referenced projects when the
policy configs changed from json to yaml.

** Affects: horizon
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1955674

Title:
  openstack dashboard conf policies don't match service default policies

Status in OpenStack Dashboard (Horizon):
  New

Bug description:
  When investigating the status of policy updates in an Ussuri cloud as
  relates to the Consistent and Secure Default Policies project, I found
  that the nova_policy.json file does not match the contents of the nova
  policy defaults generated by the oslo policy generator.

  This ultimately results in requests made in horizon being allowed when
  the CLI/API policy would not allow the same actions for new "reader"
  role.

  To reproduce, compare the differences of the output of the following command to the packaged nova_policy.json.
   
  oslopolicy-policy-generator --namespace nova

  https://opendev.org/openstack/horizon/src/branch/stable/ussuri/openstack_dashboard/conf/nova_policy.json

  References:
  https://wiki.openstack.org/wiki/Consistent_and_Secure_Default_Policies_Popup_Team

  It appears it wasn't until the Wallaby release that Openstack
  dashboard refreshed the default policies to match the referenced
  projects when the policy configs changed from json to yaml.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1955674/+subscriptions