OpenStack Compute (nova)

  1. Bug #1807747
  2. Comment #6

Comment 6 for bug 1807747

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/stein)

Reviewed: https://review.opendev.org/660330
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=e13513010fdb48a4538daa3ca8b7ae3853635587
Submitter: Zuul
Branch: stable/stein

commit e13513010fdb48a4538daa3ca8b7ae3853635587
Author: Matt Riedemann <email address hidden>
Date: Mon Dec 10 14:58:46 2018 -0500

    Fix target used in nova.policy.check_is_admin

    The target passed to Enforcer.authorize should be a dict,
    similar to the target dict to the RequestContext.can method.
    However, we were passing an instance of _DeprecatedPolicyValues
    because that is ultimately what comes out of
    RequestContext.to_policy_values(). As of change
    I4642c57990b145c0e691140970574412682e66a5 in oslo.policy, that
    incorrect type for the target parameter results in an error in
    the debug logs for the policy check:

      cannot format data, exception: Expected a dictionary, got
      <class 'oslo_context.context._DeprecatedPolicyValues'> instead.

    This resolves the issue by using the same default target dict
    that RequestContext.can uses if a target is not supplied.

    Note that we get here from NovaKeystoneContext via API middleware
    before any request handler is invoked in the wsgi stack, so there
    is no context from the request as to what to pass for the target
    besides the user_id/project_id.

    Change-Id: I4442a7b95d15233f76f7795d45b18ac440ddb831
    Closes-Bug: #1807747
    (cherry picked from commit c27af238ad99c0330eb4b55398f44be28e6f0485)