Can't move to or from empty policy with deprecated_rule
Bug #1856207 reported by
Zane Bitter
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| oslo.policy |
Fix Released
|
Undecided
|
Zane Bitter | ||
Bug Description
When a policy is deprecated, we allow access to requests that would be allowed by either the old or the new rule.
Currently this is implemented by sticking the string ' or ' between the old and new rules and parsing the result as a whole. That means that if either the old or new rules is an empty string then you end up with an error like:
"Failed to understand rule or role:admin: ValueError: Could not parse rule"
(With quotes that would look like "rule ' or role:admin'".)
It's possible that this works correctly with unparenthesised inputs containing and/or/not, since IIUC the 'or' operator has the lowest precedence, but I wouldn't say it was obviously correct either.
| Changed in oslo.policy: | |
| assignee: | nobody → Zane Bitter (zaneb) |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix proposed to oslo.policy (master) | #1 |
| Changed in oslo.policy: | |
| status: | New → In Progress |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix merged to oslo.policy (master) | #2 |
| Changed in oslo.policy: | |
| status: | In Progress → Fix Released |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix included in openstack/oslo.policy 2.4.1 | #3 |
To post a comment you must log in.
Fix proposed to branch: master
Review: https:/