Policy definition (policy.json) is not honored for admin tenant
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Designate |
Invalid
|
Undecided
|
Unassigned | ||
python-designateclient |
Fix Released
|
Medium
|
Satyanarayana Patibandla |
Bug Description
Policy definition (policy.json) is not honored for admin tenant
Steps to reproduce.
-------
1. Assume there is an 'admin' tenant. (is_admin == True)
2. There is one more tenant 'demo' who is not admin.
3. 'demo' tenant creates a domain and also creates some 'A' records.
4. admin tries to update one of the records, we get "Domain Not found" error.
Indeed, policy.json has entries like
{
"admin": "role:admin or is_admin:True",
"owner": "tenant_
"admin_
.......
"create_
"get_domains": "rule:admin_
"get_domain": "rule:admin_
"get_
"find_domains": "rule:admin_
"find_domain": "rule:admin_
.......
"create_
.......
}
description: | updated |
Changed in python-designateclient: | |
assignee: | nobody → Satyanarayana Patibandla (satya-patibandla) |
Changed in python-designateclient: | |
milestone: | none → 1.3.0 |
status: | Fix Committed → Fix Released |
For example, in the following code from designate/ central/ service. py.
Line number 2 (get_domain) will return no domain for 'admin' tenant, as the current
tenant_id in the 'context' is admin tenant id, but the domain might be owned by some other
tenant who might not be an admin.
======= ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= === recordset( self, context, domain_id, values):
1.def create_
2. domain = self.storage_ api.get_ domain( context, domain_id)
3. target = {
'domain_ id': domain_id,
'domain_ name': domain['name'],
'recordset _name': values['name'],
'tenant_ id': domain[ 'tenant_ id'],
}
4. policy. check(' create_ recordset' , context, target)
...... ======= ======= ======= ======= ======= ======= ======= ======= ==
=======