Ironic

updates to policy are not backward compatible

Bug #1408808 reported by Adam Gandelman on 2015-01-08

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Ironic	Fix Released	Critical	Adam Gandelman	Ironic 2015.1.0 "kilo"

Bug Description

https://review.openstack.org/#/c/126265/ made many changes to ironic's policy code, including changes to the default /etc/ironic/policy.json. The assumption across most projects is that /etc files are configuration, and that newer versions of a project should function correctly with older versions of configuration. However, the recent changes to ironic's policy engine require the newer policy rules be configured. Attempting to use a checkout of master with a pre-126265 policy.json results in 403's for admin users attempting to use the api.

This was discovered via the experimental grenade upgrade job, which brings up the Kilo service using Juno config:

http://logs.openstack.org/74/124474/4/experimental/check-grenade-dsvm-ironic/4edd6f2/logs/grenade.sh.txt.gz#_2015-01-08_06_45_22_199

http://logs.openstack.org/74/124474/4/experimental/check-grenade-dsvm-ironic/4edd6f2/logs/new/screen-ir-api.txt.gz#_2015-01-08_06_43_25_026

We either need to add some backward compat code to check against the old policies as well, or be loud about this in release notes and add an upgrade step to grenade to update policies before starting the new version.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-01-09: Fix proposed to ironic (master)

Fix proposed to branch: master
Review: https://review.openstack.org/145984

Changed in ironic:
status:	New → In Progress

Dmitry Tantsur (divius) on 2015-01-09

Changed in ironic:
importance:	Undecided → Critical

Adam Gandelman (gandelman-a) on 2015-01-13

Changed in ironic:
assignee:	nobody → Adam Gandelman (gandelman-a)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-01-14: Fix merged to ironic (master)

Reviewed: https://review.openstack.org/145984
Committed: https://git.openstack.org/cgit/openstack/ironic/commit/?id=094565bb2d5b1c2e8ee6aa0534804fa21a2f64c7
Submitter: Jenkins
Branch: master

commit 094565bb2d5b1c2e8ee6aa0534804fa21a2f64c7
Author: Adam Gandelman <email address hidden>
Date: Thu Jan 8 16:37:03 2015 -0800

Provided backward compat for enforcing admin policy

    The ContextHook API hook was changed in a way that it cannot
    construct an admin-enabled context with the default juno
    policy.json, preventing admin users from using the API. This
    updates it to enforce the previous 'admin' rule in addtion
    to the new 'admin_api' rule.

Change-Id: I47985e8989837ce8a9e44bbf5a068ddfcab179f6
Closes-bug: #1408808

Changed in ironic:
status:	In Progress → Fix Committed

Revision history for this message

Adam Gandelman (gandelman-a) wrote on 2015-01-19:

Re-opening this. Even with this fix, current ironic kilo has no way of allowing unauthenticated requests to the root URL to check service availability while the juno policy.json is in place:

$ curl http://127.0.0.1:6385
{"error_message": "<html>\n <head>\n <title>403 Forbidden</title>\n </head>\n <body>\n <h1>403 Forbidden</h1>\n Access was denied to this resource.<br /><br />\n\n\n\n </body>\n</html>"}

Expected behavior:

$ curl http://127.0.0.1:6385
{"default_version": {"id": "v1", "links": [{"href": "http://127.0.0.1:6385/v1/", "rel": "self"}]}, "versions": [{"id": "v1", "links": [{"href": "http://127.0.0.1:6385/v1/", "rel": "self"}]}], "name": "OpenStack Ironic API", "description": "Ironic is an OpenStack project which aims to provision baremetal machines."}

Changed in ironic:
status:	Fix Committed → New

OpenStack Infra (hudson-openstack) on 2015-01-21

Changed in ironic:
status:	New → In Progress

Revision history for this message

Ruby Loo (rloo) wrote on 2015-01-21:

Fix proposed to branch: master
Review: https://review.openstack.org/148381

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-02-02:

Reviewed: https://review.openstack.org/148381
Committed: https://git.openstack.org/cgit/openstack/ironic/commit/?id=bf66391072b69eb9d86d0b3834e7ac1eecaafba8
Submitter: Jenkins
Branch: master

commit bf66391072b69eb9d86d0b3834e7ac1eecaafba8
Author: Adam Gandelman <email address hidden>
Date: Mon Jan 19 15:06:01 2015 -0800

Simplify policy.json

    Ironic's policy code was recently refactored. As part of that work,
    a new 'trusted_call' rule was added to policy.json that allows
    granting/denying access to public APIs. This is problematic, though,
    as public access to public API routes now depends on specific rules
    being configured in policy.json, and this creates an issue for upgrading.
    Users who attempt to use new code with juno's policy.json and keystone
    auth will find public API access is denied.

    This reverts the API policy hook to always allow access to
    public API endpoitns by default. Doing so allows policy.json
    to be simplified considerably and keeps public endpoints
    backward compatible with Juno's default policy.

Closes-bug: 1408808

Change-Id: Idedae868dbdd717a6e064edd398fa65f8725d0c0

Changed in ironic:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2015-02-05

Changed in ironic:
milestone:	none → kilo-2
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-04-30

Changed in ironic:
milestone:	kilo-2 → 2015.1.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.