OpenStack Compute (nova)

ignore case in policy role checking

Bug #922660 reported by Dan Prince on 2012-01-27

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	Medium	Dan Prince	OpenStack Compute (nova) 2012.1 "essex"

Bug Description

The default nova policy.json files specifies a default rule using the 'admin' role:

"admin_or_owner": [["role:admin"], ["project_id:%(project_id)s"]],

In keystone however my admin role is 'Admin'.

This can lead to errors like this when trying to list instances in a multi-tenant setup:

root@nova1:~# nova list
Policy doesn't allow compute:get_instance_faults to be performed. (HTTP 403)

Changing the case of the role in policy.json will fix the issue... however in my opinion we should ignore case on role checking. We do this in Nova's context.py for example when setting 'is_admin'. Why not for policy.json files too?

Dan Prince (dan-prince) on 2012-01-27

Changed in nova:
status:	New → In Progress
assignee:	nobody → Dan Prince (dan-prince)
importance:	Undecided → Medium
milestone:	none → essex-4

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-01-27: Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/3510

Revision history for this message

Vish Ishaya (vishvananda) wrote on 2012-01-27: Re: [Bug 922660] [NEW] ignore case in policy role checking

I could go either way on this one. I really don't like the uppercasing of the roles in the keystone initial data. We create the role in lowercase in devstack. Perhaps we should consider them case insensitive, though.

Vish

On Jan 27, 2012, at 7:52 AM, Dan Prince wrote:

> Public bug reported:
>
> The default nova policy.json files specifies a default rule using the
> 'admin' role:
>
> "admin_or_owner": [["role:admin"], ["project_id:%(project_id)s"]],
>
> In keystone however my admin role is 'Admin'.
>
> This can lead to errors like this when trying to list instances in a
> multi-tenant setup:
>
> root@nova1:~# nova list
> Policy doesn't allow compute:get_instance_faults to be performed. (HTTP 403)
>
> Changing the case of the role in policy.json will fix the issue...
> however in my opinion we should ignore case on role checking. We do this
> in Nova's context.py for example when setting 'is_admin'. Why not for
> policy.json files too?
>
> ** Affects: nova
> Importance: Medium
> Assignee: Dan Prince (dan-prince)
> Status: In Progress
>
> ** Changed in: nova
> Status: New => In Progress
>
> ** Changed in: nova
> Assignee: (unassigned) => Dan Prince (dan-prince)
>
> ** Changed in: nova
> Importance: Undecided => Medium
>
> ** Changed in: nova
> Milestone: None => essex-4
>
> --
> You received this bug notification because you are subscribed to
> OpenStack Compute (nova).
> https://bugs.launchpad.net/bugs/922660
>
> Title:
> ignore case in policy role checking
>
> Status in OpenStack Compute (Nova):
> In Progress
>
> Bug description:
> The default nova policy.json files specifies a default rule using the
> 'admin' role:
>
> "admin_or_owner": [["role:admin"],
> ["project_id:%(project_id)s"]],
>
> In keystone however my admin role is 'Admin'.
>
> This can lead to errors like this when trying to list instances in a
> multi-tenant setup:
>
> root@nova1:~# nova list
> Policy doesn't allow compute:get_instance_faults to be performed. (HTTP 403)
>
> Changing the case of the role in policy.json will fix the issue...
> however in my opinion we should ignore case on role checking. We do
> this in Nova's context.py for example when setting 'is_admin'. Why not
> for policy.json files too?
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/nova/+bug/922660/+subscriptions

I could go either way on this one. I really don't like the uppercasing of the roles in the keystone initial data.  We create the role in lowercase in devstack.  Perhaps we should consider them case insensitive, though.

Vish

On Jan 27, 2012, at 7:52 AM, Dan Prince wrote:

> Public bug reported:
> 
> The default nova policy.json files specifies a default rule using the
> 'admin' role:
> 
>    "admin_or_owner":  [["role:admin"], ["project_id:%(project_id)s"]],
> 
> In keystone however my admin role is 'Admin'.
> 
> This can lead to errors like this when trying to list instances in a
> multi-tenant setup:
> 
> root@nova1:~# nova list
> Policy doesn't allow compute:get_instance_faults to be performed. (HTTP 403)
> 
> Changing the case of the role in policy.json will fix the issue...
> however in my opinion we should ignore case on role checking. We do this
> in Nova's context.py for example when setting 'is_admin'. Why not for
> policy.json files too?
> 
> ** Affects: nova
>     Importance: Medium
>     Assignee: Dan Prince (dan-prince)
>         Status: In Progress
> 
> ** Changed in: nova
>       Status: New => In Progress
> 
> ** Changed in: nova
>     Assignee: (unassigned) => Dan Prince (dan-prince)
> 
> ** Changed in: nova
>   Importance: Undecided => Medium
> 
> ** Changed in: nova
>    Milestone: None => essex-4
> 
> -- 
> You received this bug notification because you are subscribed to
> OpenStack Compute (nova).
> https://bugs.launchpad.net/bugs/922660
> 
> Title:
>  ignore case in policy role checking
> 
> Status in OpenStack Compute (Nova):
>  In Progress
> 
> Bug description:
>  The default nova policy.json files specifies a default rule using the
>  'admin' role:
> 
>      "admin_or_owner":  [["role:admin"],
>  ["project_id:%(project_id)s"]],
> 
>  In keystone however my admin role is 'Admin'.
> 
>  This can lead to errors like this when trying to list instances in a
>  multi-tenant setup:
> 
>  root@nova1:~# nova list
>  Policy doesn't allow compute:get_instance_faults to be performed. (HTTP 403)
> 
>  Changing the case of the role in policy.json will fix the issue...
>  however in my opinion we should ignore case on role checking. We do
>  this in Nova's context.py for example when setting 'is_admin'. Why not
>  for policy.json files too?
> 
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/nova/+bug/922660/+subscriptions

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-01-27: Fix merged to nova (master)

Reviewed: https://review.openstack.org/3510
Committed: http://github.com/openstack/nova/commit/58e652845e0762e62e3b7a8ec02e742c6a78ba11
Submitter: Jenkins
Branch: master

commit 58e652845e0762e62e3b7a8ec02e742c6a78ba11
Author: Dan Prince <email address hidden>
Date: Fri Jan 27 11:05:29 2012 -0500

Ignore case in policy role checks.

    Update the default policy brain so that role checks ignore case.
    Fixes an issue where roles in keystone didn't exactly match the
    case of the role as specified in policy.json.

Fixes LP Bug #922660.

Change-Id: I05792755c9293e4dd80d642cb8eef6b0adda2ed4