Can't move to or from empty policy with deprecated_rule
Bug #1856207 reported by
Zane Bitter
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
oslo.policy |
Fix Released
|
Undecided
|
Zane Bitter |
Bug Description
When a policy is deprecated, we allow access to requests that would be allowed by either the old or the new rule.
Currently this is implemented by sticking the string ' or ' between the old and new rules and parsing the result as a whole. That means that if either the old or new rules is an empty string then you end up with an error like:
"Failed to understand rule or role:admin: ValueError: Could not parse rule"
(With quotes that would look like "rule ' or role:admin'".)
It's possible that this works correctly with unparenthesised inputs containing and/or/not, since IIUC the 'or' operator has the lowest precedence, but I wouldn't say it was obviously correct either.
Changed in oslo.policy: | |
assignee: | nobody → Zane Bitter (zaneb) |
To post a comment you must log in.
Fix proposed to branch: master /review. opendev. org/698790
Review: https:/