neutron

Pecan: policy evaluation error can trigger 500 response

Bug #1505831 reported by Salvatore Orlando on 2015-10-13

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Low	Salvatore Orlando	neutron mitaka-2 "m2"

Bug Description

in [1] if policy_method == enforce an PolicyNotAuthorizedException is triggered.
However, the exception translation hook is not called, most likely because the on_error hook is not installed on other policy hooks.
This might be logical and should therefore not be considered a pecan bug.

The policy hook should take this into account and handle the exception.

[1] http://git.openstack.org/cgit/openstack/neutron/tree/neutron/pecan_wsgi/hooks/policy_enforcement.py#n94

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-10-13: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/234457

Changed in neutron:
status:	New → In Progress

Ihar Hrachyshka (ihar-hrachyshka) on 2015-10-14

Changed in neutron:
importance:	Undecided → Low
tags:	added: api

Armando Migliaccio (armando-migliaccio) on 2015-12-03

Changed in neutron:
milestone:	mitaka-1 → mitaka-2

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-01-15: Fix merged to neutron (master)

Reviewed: https://review.openstack.org/234457
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=293c3e01efce74d110ff34703a9e68ce2cd782e6
Submitter: Jenkins
Branch: master

commit 293c3e01efce74d110ff34703a9e68ce2cd782e6
Author: Salvatore Orlando <email address hidden>
Date: Tue Oct 13 15:08:47 2015 -0700

Pecan: Fixes and tests for the policy enforcement hook

    As PolicyNotAuthorizedException is raised in a hook, the
    ExceptionTranslationHook is not invoked for it; therefore a 500
    response is returned whereas a 403 was expected. This patch
    explicitly handles the exception in the hook in order to ensure
    the appropriate response code is returned.

    Moreover, the structure of the 'before' hook prevented checks
    on DELETE requests from being performed. As a result the check
    was not performed at all (checks on the 'after' hook only pertain
    GET requests). This patch changes the logic of the 'before' hook
    by ensuring the item to authorize acces to is loaded both on PUT
    and DELETE requests.

This patch also adds functional tests specific for the policy
enforcement hook.

    Change-Id: I8c76cb05568df47648cff71a107cfe701b286bb7
    Closes-Bug: #1520180
    Closes-Bug: #1505831

Changed in neutron:
status:	In Progress → Fix Released

Revision history for this message

Thierry Carrez (ttx) wrote on 2016-01-19: Fix included in openstack/neutron 8.0.0.0b2

This issue was fixed in the openstack/neutron 8.0.0.0b2 development milestone.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.