Policy checking fails against non-strings

Fix proposed to branch: master
Review: https://review.openstack.org/11657

Reviewed: https://review.openstack.org/11657
Committed: http://github.com/openstack/openstack-common/commit/454693d250e7085cefef30e1b43608477f34a345
Submitter: Jenkins
Branch: master

commit 454693d250e7085cefef30e1b43608477f34a345
Author: Vishvananda Ishaya <email address hidden>
Date: Mon Aug 20 10:25:21 2012 -0700

    Allow non-string items in the creds dict.

    The generic checking in policy allows us to match against data from the
    creds_dict using a very simple syntax. For example, in policy.json if
    you had something like:

    "some_action": [["project_id:foo"]]

    it would only allow project foo to perform that action, but something
    like:

    "some_action": [["is_admin:True"]]

    where is_admin is a boolean fails.

    This modifies the check to convert the value to unicode before
    attempting to compare it. It includes a test.

    Fixes bug 1039132

    Change-Id: I0e53a6ea2709212d4a1536f901bcf1e717a232ca

Fix proposed to branch: stable/folsom
Review: https://review.openstack.org/12338

Reviewed: https://review.openstack.org/12338
Committed: http://github.com/openstack/openstack-common/commit/5a565397deba671228d10c9c57102daae75eeb7f
Submitter: Jenkins
Branch: stable/folsom

commit 5a565397deba671228d10c9c57102daae75eeb7f
Author: Vishvananda Ishaya <email address hidden>
Date: Mon Aug 20 10:25:21 2012 -0700

    Allow non-string items in the creds dict.

    The generic checking in policy allows us to match against data from the
    creds_dict using a very simple syntax. For example, in policy.json if
    you had something like:

    "some_action": [["project_id:foo"]]

    it would only allow project foo to perform that action, but something
    like:

    "some_action": [["is_admin:True"]]

    where is_admin is a boolean fails.

    This modifies the check to convert the value to unicode before
    attempting to compare it. It includes a test.

    Fixes bug 1039132

    Change-Id: I0e53a6ea2709212d4a1536f901bcf1e717a232ca

FYI, this should be trivial to fix the right way. Currently, the is_admin check would go through the _check_generic() function in openstack/common/policy.py, but if we added an "is_admin"-specific check, we could correct this without having to stringify in enforce().

In current openstack/common/policy.py code, this would look something like:

    @policy.register('is_admin')
    def _check_is_admin(brain, match_kind, match_value, target_dict, creds_dict):
        return creds_dict['is_admin'] == (match_value.lower() == 'true')

In my pending policy rewrite patch, the above will work fine, but we could also do something like this:

    @policy.register('is_admin')
    class IsAdminCheck(policy.Check):
        def __init__(self, kind, match):
            super(IsAdminCheck, self).__init__(kind, match)
            self.expected = (match.lower() == 'true')

        def __call__(self, target, creds):
            return creds_dict['is_admin'] == self.expected

(See https://review.openstack.org/#/c/14122 for the policy rewrite patch I'm referring to.)