OpenStack Dashboard Charm

[19.04] incorrect policy rule is used in the rocky+ keystonev3_policy.json

Bug #1827526 reported by Dmitrii Shcherbakov
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard Charm
Fix Released
High
Dmitrii Shcherbakov
OpenStack Dashboard Charm 19.04

Bug Description

apache error.log:

[Fri May 03 14:45:55.245870 2019] [wsgi:error] [pid 158283:tid 140544471271168] [remote 10.232.46.101:60140] Policies ['cloud_admin', 'owner', 'admin_or_owner', 'admin_and_matching_domain_id', 'identity:create_trust'] reference a rule that is not defined.
[Fri May 03 14:46:00.262278 2019] [wsgi:error] [pid 158280:tid 140544412522240] [remote 10.232.46.101:60140] Policies ['cloud_admin', 'owner', 'admin_or_owner', 'admin_and_matching_domain_id', 'identity:create_trust'] reference a rule that is not defined.
[Fri May 03 14:46:01.784939 2019] [wsgi:error] [pid 158282:tid 140544462878464] [remote 10.232.46.101:60140] Policies ['cloud_admin', 'owner', 'admin_or_owner', 'admin_and_matching_domain_id', 'identity:create_trust'] reference a rule that is not defined.

The problematic occurrence is rule:user_id as there is no rule like that.
https://github.com/openstack/charm-openstack-dashboard/blame/stable/19.04/templates/rocky/keystonev3_policy.json#L6-L8

documentation on user_id:
https://docs.openstack.org/oslo.policy/latest/reference/api/oslo_policy.policy.html#generic-checks

Another problematic occurrence is this (domain_id is also not a rule):

    "cloud_admin": "rule:admin_required and rule:domain_id:{{ admin_domain_id }}",

Tags: cpe-onsite
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-openstack-dashboard (stable/19.04)

Fix proposed to branch: stable/19.04
Review: https://review.opendev.org/656959

Revision history for this message
Dmitrii Shcherbakov (dmitriis) wrote :

https://review.opendev.org/#/c/656958/

Revision history for this message
Dmitrii Shcherbakov (dmitriis) wrote :

Subscribed ~field-critical (see the reviews above).

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-openstack-dashboard (master)

Reviewed: https://review.opendev.org/656958
Committed: https://git.openstack.org/cgit/openstack/charm-openstack-dashboard/commit/?id=2e927f2c42866d113e3b1e25a4cc4aa3efcb88e2
Submitter: Zuul
Branch: master

commit 2e927f2c42866d113e3b1e25a4cc4aa3efcb88e2
Author: Dmitrii Shcherbakov <email address hidden>
Date: Fri May 3 18:14:07 2019 +0300

    Fix incorrect policy rules

    The template for Rocky+ contains incorrect policy rules.

    user_id and domain_id are not rules and are built-in to oslo.policy.

    Change-Id: Ia8678063ad332731c5d09dc908f0282a91badb4d
    Closes-Bug: #1827526

Changed in charm-openstack-dashboard:
status: New → Fix Committed
Dmitrii Shcherbakov (dmitriis)
Changed in charm-openstack-dashboard:
importance: Undecided → High
assignee: nobody → Dmitrii Shcherbakov (dmitriis)
milestone: none → 19.04
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-openstack-dashboard (stable/19.04)

Reviewed: https://review.opendev.org/656959
Committed: https://git.openstack.org/cgit/openstack/charm-openstack-dashboard/commit/?id=eae844180cee62816df406fc06f4b318de7e2aa9
Submitter: Zuul
Branch: stable/19.04

commit eae844180cee62816df406fc06f4b318de7e2aa9
Author: Dmitrii Shcherbakov <email address hidden>
Date: Fri May 3 18:14:07 2019 +0300

    Fix incorrect policy rules

    The template for Rocky+ contains incorrect policy rules.

    user_id and domain_id are not rules and are built-in to oslo.policy.

    Change-Id: Ia8678063ad332731c5d09dc908f0282a91badb4d
    Closes-Bug: #1827526
    (cherry picked from commit 2e927f2c42866d113e3b1e25a4cc4aa3efcb88e2)

Dmitrii Shcherbakov (dmitriis)
Changed in charm-openstack-dashboard:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.