congress

Policy negation with multiple policies fails

Bug #1448295 reported by Tim Hinrichs
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
congress
Fix Released
Critical
Tim Hinrichs

Bug Description

Rules that apply negation to an atom referencing a table in a different policy fail to work properly. Example.

policy alpha:
p(x) :- beta:q(x), not beta:q(x)

policy beta:
q(1)

The query p(x) should be empty, but it returns 1 because 'not beta:q(x)' succeeds because 'beta:q(x)' always fails.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to congress (master)

Fix proposed to branch: master
Review: https://review.openstack.org/177439

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to congress (master)

Reviewed: https://review.openstack.org/177439
Committed: https://git.openstack.org/cgit/openstack/congress/commit/?id=ced8a68db18db8c866c733efc84403239789e2dd
Submitter: Jenkins
Branch: master

commit ced8a68db18db8c866c733efc84403239789e2dd
Author: Tim Hinrichs <email address hidden>
Date: Fri Apr 24 13:27:20 2015 -0700

    Fix bug with policy negation and multiple policies

    If negation is applied to an atom that references a different
    policy, that negation always succeeds. The root cause was
    that negation caused the evaluation engine to skip over
    the logic that runs the evaluation routine within another
    policy. This meant that the evaluation engine could
    never prove anything positive in that other policy and
    hence the negation always succeeded.

    This change routes the logic through the normal evaluation
    path. This ensures that what is inside the negation is
    evaluated exactly the same as if it were outside the
    negation.

    Change-Id: I2d5ceeccf87afd99adfe71c359cf2b5e5cd46b38
    Closes-bug: 1448295

Changed in congress:
status: In Progress → Fix Committed
Tim Hinrichs (thinrichs)
Changed in congress:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.