"legacy" admin rule does not work and is not needed anymore
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Medium
|
Salvatore Orlando |
Bug Description
in neutron/policy.py:
def check_is_
"""Verify context has admin rights according to policy settings."""
init()
# the target is user-self
credentials = context.to_dict()
target = credentials
# Backward compatibility: if ADMIN_CTX_POLICY is not
# found, default to validating role:admin
admin_policy = (ADMIN_CTX_POLICY if ADMIN_CTX_POLICY in _ENFORCER.rules
return _ENFORCER.
if ADMIN_CTX_POLICY is not specified the enforcer checks role:admin, which since it does not exist among rules loaded from file, defaults to TrueCheck. This is wrong, and to an extent even dangerous because if ADMIN_CTX_POLICY is missing, then every context would be regarded as an admin context. Thankfully this was only for backward compatibility and is not necessary anymore.
A similar mistake is done for ADVSVC_CTX_POLICY. This is even more puzzling because there was no backward compatibility requirmeent there,
Obviously the unit tests supposed to ensure the correct behaviour of the backward compatibility tweak are validating something completely different.
Changed in neutron: | |
status: | Fix Committed → Fix Released |
Changed in neutron: | |
milestone: | liberty-1 → liberty-rc1 |
Changed in neutron: | |
milestone: | liberty-rc1 → 7.0.0 |
Fix proposed to branch: master /review. openstack. org/175078
Review: https:/