v2 API policy checks fail with keystone
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Critical
|
dan wendlandt |
Bug Description
It turns out that all of our unit testing and manual testing of the v2 API seems to have been for the scenario where keystone is not enabled (i.e., keystone middleware is not putting a context into the request environment). The result of this is that all API requests were being handled as admin (this is expected), but that meant that a certain chunk of the policy logic specific to handling non-admin queries was not being exercised, so we failed to uncover that how we were calling it was totally broken.
After looking at the code some more, I also believe that the way the API is currently written, we need to add a tenant_id field to subnet in order to make the existing API code correctly enforce multi-tenancy without adding a special case.
I also found a related bug in db_base_
One last thing: it seems like we should also change the tenant-id field for networks/
Changed in quantum: | |
status: | Fix Committed → Fix Released |
Changed in quantum: | |
milestone: | folsom-3 → 2012.2 |
Fix proposed to branch: master /review. openstack. org/9473
Review: https:/