Horizon policies on CentOS are searched in the wrong place

Talked with Timur about implications of the issue. For example it could non admin user having access to admin part of interface. That is a critical issue and hence it must be addressed in the release.

Ok, after talking a little more with Timur: user will not get access to any objects he have no access according to _components_ policies (keystone, nova, neutron, etc.). User will just see tables he should not see (like admin interface), but the tables will not list any objects user is not allowed. Neither user will be able to perform any operations on objects he is not allowed to. So that is not a security issue, but rather a UX one: user will see parts of the interface which will not work for him. Hence lowering importance back to 'high'.

https://review.openstack.org/#/c/138071/

This bug affects only user experience. Thus, I am lowering the priority and pushing it to 6.1 release.

Vladimir, this bug creates ugly user experience and hence we should treat it as a more important one.

Text for release notes: 'Due to the policy files being searched in the wrong place for CentOS some UI elements and actions seem to be available (because by default - if there is no such rule - all policy checks succeed), but depending on user's permissions, these actions will be rejected by the underlying OpenStack services like Nova, Keystone, Cinder etc. This problem can be fixed by hand via changing the value POLICY_FILES_PATH in /etc/openstack_dashboard/local_settings to '/etc/openstack-dashboard'.

Backport to 5.1: https://review.openstack.org/#/c/144612/

Addressed by https://review.openstack.org/#/c/132688/

Please note that for this exceptional case, backports are different as we have horizon upstream sync only for 6.1, so the fixes for the other versions are different as well.

backport for 6.0 https://review.openstack.org/#/c/144612/

I created "customadmin" user, joined him with ResellerAdmin role.
Then logged-in as "customadmin" and tried to access Admin part of Horizon UI. This action caused an access error.

You do not have permission to access the resource:
/dashboard/admin/

Also checked for POLICY_FILES_PATH:
 cat /etc/openstack-dashboard/local_settings | grep POLICY_FILES_PATH
# POLICY_FILES_PATH = os.path.join(ROOT_PATH, "conf")

It is still not changed for MOS 6.0.1

{"build_id": "2015-03-05_20-49-44", "ostf_sha": "b38332e6741fc4b0ef40a9b4fe9d2804ee6437cc", "build_number": "118", "auth_required": true, "api": "1.0", "nailgun_sha": "a27dcf6a04c12ab6c0bfa7039ffba84ed7574592", "production": "docker", "fuelmain_sha": "bc1a1279509a87de0b9201e6dd2d393e0e122905", "astute_sha": "f7cda2171b0b677dfaeb59693d980a2d3ee4c3e0", "feature_groups": ["mirantis"], "release": "6.0.1", "release_versions": {"2014.2.2-6.0.1": {"VERSION": {"build_id": "2015-03-05_20-49-44", "ostf_sha": "b38332e6741fc4b0ef40a9b4fe9d2804ee6437cc", "build_number": "118", "api": "1.0", "nailgun_sha": "a27dcf6a04c12ab6c0bfa7039ffba84ed7574592", "production": "docker", "fuelmain_sha": "bc1a1279509a87de0b9201e6dd2d393e0e122905", "astute_sha": "f7cda2171b0b677dfaeb59693d980a2d3ee4c3e0", "feature_groups": ["mirantis"], "release": "6.0.1", "fuellib_sha": "b667689e264b0f81073193026fb43d446e7dab3d"}}}, "fuellib_sha": "b667689e264b0f81073193026fb43d446e7dab3d"}

On verification

Verified on Centos deployment of MOS 6.1

# cat /etc/openstack-dashboard/local_settings | grep POLICY_FILES_PATH
POLICY_FILES_PATH = '/etc/openstack-dashboard'

VERSION:
  feature_groups:
    - mirantis
  production: "docker"
  release: "6.1"
  openstack_version: "2014.2.2-6.1"
  api: "1.0"
  build_number: "395"
  build_id: "2015-05-08_11-08-49"
  nailgun_sha: "46f55c293e4540d31bcaa6ca3fba77235fb27537"
  python-fuelclient_sha: "af6c9c3799b9ec107bcdc6dbf035cafc034526ce"
  astute_sha: "6a4dcd11c67af2917815f3678fb594c7412a4c97"
  fuel-library_sha: "f385d6a58298c702f8d4f14c452dcffdc0b1e2a3"
  fuel-ostf_sha: "740ded337bb2a8a9b3d505026652512257375c01"
  fuelmain_sha: "3eca5e8f7ca6a83faff5feeca92c21cff31c0af1"