neutron

The admin role should be configurable

Bug #1158434 reported by Salvatore Orlando
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Wishlist
Salvatore Orlando
neutron 2013.2 "havana"

Bug Description

policy.json allows for configuring authZ policies in a very flexible ways.
For instance the admin_only policy defines which role(s) should be granted admin privileges.

However, in several places quantum relies on the is_admin flag. This flag is set by explicitly checking for a hardcoded 'admin' role among the user credentials.

This should be made configurable, in order to be able to match whatever has been specified in policy.json (as it's done by glance, for instance)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to quantum (master)

Fix proposed to branch: master
Review: https://review.openstack.org/25035

Changed in quantum:
status: New → In Progress
Mark McClain (markmcclain)
Changed in quantum:
importance: Undecided → Wishlist
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to quantum (master)

Reviewed: https://review.openstack.org/25035
Committed: http://github.com/openstack/quantum/commit/35988f13931115658cf20d323da2f549073bcd52
Submitter: Jenkins
Branch: master

commit 35988f13931115658cf20d323da2f549073bcd52
Author: Salvatore Orlando <email address hidden>
Date: Mon Apr 22 09:44:14 2013 +0200

    Make the 'admin' role configurable

    Bug 1158434

    This patch adds a new policy named 'context_is_admin' which defines
    an admin user as a collection of roles or else. The quantum context
    has been updated to check for this policy when setting the is_admin
    flag.
    This patch also adds a method for gathering 'admin' roles from policy
    rules as current logic requires the context to be always populate with
    the correct roles for admin rules, even when the context is implicitly
    generated with get_admin_context or context.elevated.
    Backward compatibility is ensuring by preserving the old behavior if
    the 'context_is_admin' policy is not found in policy.json

    Change-Id: I9acea75cca0c47e083a9149e358328ea3ca12d68

Changed in quantum:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in quantum:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in neutron:
milestone: havana-1 → 2013.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.