OpenStack Shared File Systems Service (Manila)

Policy defined for 'share' applies to 'security_service' also

Bug #1274951 reported by Aleksandr Chirko
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Shared File Systems Service (Manila)
Fix Released
High
Aleksandr Chirko

Bug Description

If we define policy for share creation in the policy.json like that
    "share:create": [["is_admin:True"]]
we will be unable to create share under 'demo' user:
    $manila create nfs 1
    ERROR: Policy doesn't allow share:create to be performed.

 and that's expected.
But we also will be unable to create security service under 'demo' user:
    $manila security-service-create ldap
    ERROR: Policy doesn't allow share:create to be performed.
which is unexpected.

Tags: policy
Aleksandr Chirko (achirko)
Changed in manila:
assignee: nobody → Aleksandr Chirko (achirko)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to manila (master)

Fix proposed to branch: master
Review: https://review.openstack.org/70375

Changed in manila:
status: New → In Progress
Valeriy Ponomaryov (vponomaryov)
Changed in manila:
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to manila (master)

Reviewed: https://review.openstack.org/70375
Committed: https://git.openstack.org/cgit/stackforge/manila/commit/?id=826b15692ee0cfa509d82d13fbba09c56c9c6b27
Submitter: Jenkins
Branch: master

commit 826b15692ee0cfa509d82d13fbba09c56c9c6b27
Author: Aleks Chirko <email address hidden>
Date: Fri Jan 31 18:37:11 2014 +0200

    Fix policy.py

    Because inside check_policy() there is hardcoded
    'share' target prepended to all policies, any
    policy we check will be checked against 'share'
    policy. Change check_policy() to use explicit
    target and action instead of just action.
    Change wrap_check_policy decorator to be a
    decorator maker which accepts resource name
    as an argument.
    Closes-Bug: #1274951
    Partial-Bug: #1271943

    Change-Id: I85c184035619d78107d56ea94918f608d8d7c282

Changed in manila:
status: In Progress → Fix Committed
Valeriy Ponomaryov (vponomaryov)
Changed in manila:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.