The Enforcer object doesn't deepcopy rules before modifying them
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| oslo.policy |
Fix Released
|
Critical
|
Ghanshyam Mann | ||
Bug Description
The Enforcer() object has methods that load and register default rules. These rules are usually passed
The Enforcer() object has methods to register default rules, which are typically pass in from whatever created the instance of the Enforcer(). The Enforcer() will modify the rules if it detects a rule is deprecated and it's being overridden with a specific value from the operator. This modification allows for smooth upgrades during the deprecation period.
The modification is done on the original copy of the rules that are passed into the Enforcer(), which can cause issues with callers who aren't expecting the rules to change (e.g., tests sharing an enforcer)[0].
We can improve this by ensuring the Enforcer makes a deep copy of the rules before it modifies them.
| Ghanshyam Mann (ghanshyammann) wrote | #1 |
| Changed in oslo.policy: | |
| status: | New → Confirmed |
| assignee: | nobody → Ghanshyam Mann (ghanshyammann) |
| OpenStack Infra (hudson-openstack) wrote Fix included in openstack/oslo.policy 3.6.2 | #2 |
| Changed in oslo.policy: | |
| importance: | Undecided → Critical |
| Changed in oslo.policy: | |
| status: | Confirmed → Fix Committed |
| status: | Fix Committed → Fix Released |
fixing in https:/