Ceilometer

Default rule does not work in ceilometer policy.json

Bug #1435855 reported by Divya K Konoor on 2015-03-24

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Ceilometer	Fix Released	High	Divya K Konoor	Ceilometer 2015.1.0 "kilo"

Bug Description

The rule default does not work for ceilometer. I tried with few of these and they don't work. I am able to proceed with the REST apis that are not mentioned even when the default is set to not_allowed.

"default": "not_allowed:True",
"default": "!",

The problem appears to be here >>/usr/lib/python2.7/site-packages/ceilometer/api/rbac.py

    for rule_name in _ENFORCER.rules.keys():
        if rule_method == rule_name:
            if not _ENFORCER.enforce(
                    rule_name,
                    {},
                    policy_dict):
                pecan.core.abort(status_code=403,
                                 detail='RBAC Authorization Failed')

The rbac.enforce method loops through all the rules and filters the one that matches the one requested for. However , in a case where the rule has not been specified in the policy.json file , there is no logic in the above to fall back on the default value. The default logic is already taken case of by oslo_policy and the above loop seems to be causing the problem.

Divya K Konoor (dikonoor) on 2015-03-24

Changed in keystone:
status:	New → Incomplete
status:	Incomplete → New
assignee:	nobody → Divya K Konoor (dikonoor)

Divya K Konoor (dikonoor) on 2015-03-24

Changed in keystone:
status:	New → Incomplete

Matthew Edmonds (edmondsw) on 2015-03-24

no longer affects:	ceilometer
affects:	keystone → ceilometer
Changed in ceilometer:
status:	Incomplete → New

Divya K Konoor (dikonoor) on 2015-03-24

Changed in ceilometer:
status:	New → In Progress

Revision history for this message

Divya K Konoor (dikonoor) wrote on 2015-03-24:

patch submitted for review >> https://review.openstack.org/#/c/167370/

Eoghan Glynn (eglynn) on 2015-03-31

Changed in ceilometer:
importance:	Undecided → High

Eoghan Glynn (eglynn) on 2015-04-01

Changed in ceilometer:
milestone:	none → kilo-rc1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-09: Fix merged to ceilometer (master)

Reviewed: https://review.openstack.org/167370
Committed: https://git.openstack.org/cgit/openstack/ceilometer/commit/?id=aa78d70df29c3927c032ef49079011fd9c937f73
Submitter: Jenkins
Branch: master

commit aa78d70df29c3927c032ef49079011fd9c937f73
Author: Divya <email address hidden>
Date: Fri Mar 27 09:27:35 2015 +0100

Adds support for default rule in ceilometer policy.json.

    The default rule is broken in the current implementation of
    ceilometer rbac, because ceilometer rbac.py does not leverage
    the support provided by oslo_policy . It instead tries to
    loop through all the rules in the policy.json to check if the
    rule corresponding to the requested REST api matches with the
    any in the policy.json. In this process, it completely ignores
    the existence of the default rule.

Closes-Bug: 1435855

Change-Id: Icab626b28d14514b0f024df447a8e7f35c52257c

Changed in ceilometer:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2015-04-09

Changed in ceilometer:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-04-30

Changed in ceilometer:
milestone:	kilo-rc1 → 2015.1.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.