Changing policy.json is invalid for creating an aggregate

Bug #1240831 reported by wingwj on 2013-10-17
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)

Bug Description

In default, Aggregate actions require the admin-user to operate.

In order to give rights to normal-user, I change it in the policy.json , like this:

        "compute_extension:aggregates": "rule:admin_api",
        "compute_extension:aggregates": "",

But the operation result is also rejected.


I check the codes in Nova, the fault dues to def require_admin_context() in /nova/db/sqlalchemy/

That means Nova has checked the policy of one API twice.
So why twice? The policy has already checked in the api-layer.

That cause the problem happens~

Tags: api Edit Tag help
wingwj (wingwj) wrote :

P.S. I checked the similar codes in Cinder/Neutron, they're the same..
If you want to change an admin_api to a regular one, this problem is also existed.

Can we wipe off the def require_admin_context() in db-layer, or use def require_context() instead?

Changed in nova:
assignee: nobody → wingwj (wingwj)
tags: added: api
Christopher Yeoh (cyeoh-0) wrote :

wingwj - this is on our list of things to do, see
For each case we do need to do an audit for wherever the db call is also called from and ensure that there are policy checks
for those cases as well

Changed in nova:
status: New → Confirmed
importance: Undecided → Medium
Christopher Yeoh (cyeoh-0) wrote :

Since this is being handled by the v3-api-policy blueprint and being tracked by that blueprint, I'm closing this bug report

Changed in nova:
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers