This reverts commit 8f190b9121715cc90c1d3269f146f1161623d271.
From Ian:
"So I spent most of today trying to figure out why Glance’s policy isn’t
working with the proposed glance policy changes for RBAC. I only was
just able to find (by adding tons of logging) the basic check is parsed
something like this
OrCheck
/ \
Role GenericCheck
The RoleCheck is straight-forward and just works. Glance (in Juno) used
a very old and very hacky policy enforcement system that has been made a
lot better in oslo.policy (soon to be released). At the moment the
GenericCheck receives a target dictionary that is empty. So doing
something like tenant:%(tenant_id)s will return False immediately
because there is no tenant_id key in the dictionary passed in for the
target object (because it is empty). This seems to be a failure
somewhere along the line but I haven’t found it yet. Regardless, it
seems like the RBAC changes need to be reverted because there’s no
chance of them working until a new stable glance comes out with a fix."
So I spent most of today trying to figure out why Glance’s policy isn’t
working with the proposed glance policy changes for RBAC. I only was
just able to find (by adding tons of logging) the basic check is parsed
something like this.
Reviewed: https:/ /review. openstack. org/146413 /git.openstack. org/cgit/ stackforge/ os-ansible- deployment/ commit/ ?id=bba6fa84a18 1d2123433d56d53 7826e1e8aaeee0
Committed: https:/
Submitter: Jenkins
Branch: master
commit bba6fa84a181d21 23433d56d537826 e1e8aaeee0
Author: Hugh Saunders <email address hidden>
Date: Mon Jan 12 10:37:53 2015 +0000
Revert "Add proper RBAC to Glance's policy.json"
This reverts commit 8f190b9121715cc 90c1d3269f146f1 161623d271.
From Ian:
"So I spent most of today trying to figure out why Glance’s policy isn’t
working with the proposed glance policy changes for RBAC. I only was
just able to find (by adding tons of logging) the basic check is parsed
something like this
OrCheck
/ \
Role GenericCheck
The RoleCheck is straight-forward and just works. Glance (in Juno) used %(tenant_ id)s will return False immediately
a very old and very hacky policy enforcement system that has been made a
lot better in oslo.policy (soon to be released). At the moment the
GenericCheck receives a target dictionary that is empty. So doing
something like tenant:
because there is no tenant_id key in the dictionary passed in for the
target object (because it is empty). This seems to be a failure
somewhere along the line but I haven’t found it yet. Regardless, it
seems like the RBAC changes need to be reverted because there’s no
chance of them working until a new stable glance comes out with a fix."
So I spent most of today trying to figure out why Glance’s policy isn’t
working with the proposed glance policy changes for RBAC. I only was
just able to find (by adding tons of logging) the basic check is parsed
something like this.
Partial-bug: #1408363 aa94c2f933c2222 68654f5ef78
Change-Id: I094050e5ea6e1d