deprecation logic fails because of rule names
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
New
|
Undecided
|
Unassigned |
Bug Description
Description
===========
I believe the deprecation logic for rules "admin_api" and "admin_or_owner" is faulty. This is because the code in nova/policies/
RULE_ADMIN_OR_OWNER = 'rule:admin_
...
DEPRECATED_
name=
...
)
assigns the "name" to be 'rule:admin_
if (
deprecated_
deprecated_
):
In the above check, "file_rules" is a dictionary whose keys are the rule names, for example "admin_or_owner" and not "rule:admin_
Steps to reproduce
==================
I created a user with a special role (xyz) to a project and attempted to disable access by adding the override policy of:
"project_owner": "project_
"admin_or_owner": "is_admin:True or rule:project_owner"
This appeared to have no effect. By adding extra logging statements to nova/oslo.policy I was able to identify that the deprecation behaviour was not seeing this override.
If I then updated base.py to have:
DEPRECATED_
...
)
then the policies took effect and my user was correctly refused rights to list servers.
I discovered this using yoga, but I believe this bug is still present on master.
Workaround
==========
My actual problem is that I want to disable the default deprecation behaviour (which merges "admin_or_owner" into "project_
"project_
"project_
"project_
"project_
This causes the logic in oslo.policy to take these rules directly.