Policy checks should not be executed by worker
Bug #1517177 reported by
Davide Agnello
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cue |
Fix Released
|
Medium
|
Saurabh Surana |
Bug Description
The API process should be validating policy before submitting a job to the job board. When API/Objects/DB layers were added, policy checks were added to the Objects layer. Cue worker did not exist then. Since the worker needs to access and update DB records, it interfaces through the Objects layer. This requires the Worker to do policy validation.
If a user's request policy is validated by the API prior to submitting a job for the worker, this would avoid invalid jobs being submitted by the API.
Changed in cue: | |
importance: | Undecided → Medium |
Changed in cue: | |
assignee: | nobody → Saurabh Surana (saurabh-surana) |
Changed in cue: | |
status: | New → In Progress |
To post a comment you must log in.
Reviewed: https:/ /review. openstack. org/254994 /git.openstack. org/cgit/ openstack/ cue/commit/ ?id=880a1037786 fddfaf14687180b 0b3aa7be708764
Committed: https:/
Submitter: Jenkins
Branch: master
commit 880a1037786fddf af14687180b0b3a a7be708764
Author: Saurabh Surana <email address hidden>
Date: Tue Dec 8 14:46:23 2015 -0800
policy checks are now being done in the api layer
API layer talks to object layer to get DB records, it then
uses that DB record and context object to perform policy checks
to determine if the necessary API request has required
authorization to access the REST endpoint/resource.
Modified tests to use new methods in API which are doing
policy checks.
Closes-Bug: 1517177 22c6b46fa19dc7c 195ff222f8b
Depends-On: I385c161bc10d6a
Change-Id: I767f59061cc9aa 1df20bde0b1fe33 d069e01d751