Cyclical reference check seems broken
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
oslo.policy |
Fix Released
|
Medium
|
Ben Nemec |
Bug Description
If I create a policy file with the following rules:
"identity:
"identity:
I am getting a warning from oslo.policy about them being part of a cyclical reference. I don't see how that's cyclical though. The latter rule refers to the former, but the former does not reciprocate. Unless somehow rule:owner has a nested reference to identity:
This is particularly problematic as this pattern is how we handle deprecations in the generated sample policy files, so it's going to be a common thing.
Oh, actually I was mistaken. If you explicitly put both rules in the policy file then the warning is not triggered. It's only if you rely on the fact that the first rule is the default in code that you get the warning. So the problematic policy file is actually more like:
# This is the default from policy-in-code get_application _credential" : "(role:reader and system_scope:all) or rule:owner" get_application _credentials" : "rule:identity: get_application _credential"
#"identity:
"identity:
The rest of what I said is still valid.