Admin auth check seems to override policy rules.
Bug #1336418 reported by
Charles V Bock
This bug affects 3 people
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Dashboard (Horizon) |
Fix Released
|
Undecided
|
Justin Pomeroy | ||
Bug Description
This check for the admin role seems to fly in the face of the RBAC control that keystone now gives us.
since is_superuser is based solely on the user having the role of admin.
if not user.is_superuser:
raise exceptions.
https:/
For instance if I give access to the list-users call for people with role "user_lister" this check effectively overrides my policy every time.
This only happens in horizon, via curl / direct API calls there is no such interference.
Thoughts?
Revision history for this message
| Charles V Bock (charles-v-bock) wrote | #1 |
| Changed in horizon: | |
| status: | New → Invalid |
Revision history for this message
| Charles V Bock (charles-v-bock) wrote | #2 |
| Changed in horizon: | |
| status: | Invalid → New |
| tags: | removed: horizon |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix proposed to horizon (master) | #3 |
| Changed in horizon: | |
| assignee: | nobody → Justin Pomeroy (jpomero) |
| status: | New → In Progress |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix proposed to horizon (stable/juno) | #4 |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix merged to horizon (master) | #5 |
| Changed in horizon: | |
| status: | In Progress → Fix Committed |
| Changed in horizon: | |
| milestone: | none → kilo-1 |
| Changed in horizon: | |
| status: | Fix Committed → Fix Released |
| Changed in horizon: | |
| milestone: | kilo-1 → 2015.1.0 |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Change abandoned on horizon (stable/juno) | #6 |
To post a comment you must log in.
Re-evaluating this... will reopen if Its still an issue.