GenericCheck: nested field match like %(role.name)s does not work without flattening dict

Bug #1678563 reported by Akihiro Motoki
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
oslo.policy
Triaged
Medium
Unassigned

Bug Description

The examples of GenericCheck shows like:

        - True:%(user.enabled)s
        - 'Member':%(role.name)s

i think these examples expect that 'target' contains a field like "user.enabled" or "role.name", but in most cases we don't have such fields without flattening "target" dict.

keystone has a convenient method to flatten a dict [1] and and it is called before policy enforcement (e.g., [2]).

It would be nice and useful if oslo.policy supports flattening a target dict before policy.check.
Otherwise, examples of GenericCheck should be updated not to include nested fields.

[1] https://github.com/openstack/keystone/blob/master/keystone/common/utils.py#L72-L86
[2] https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L161

Akihiro Motoki (amotoki)
summary: GenericCheck: nested field match like %(role.name)s does not work
- without flattening dict field
+ without flattening dict
Revision history for this message
Morgan Fainberg (mdrnstm) wrote :

We should totally merge the flattener to oslo.policy.

Changed in oslo.policy:
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Yang Youseok (ileixe) wrote :

It's not totally related to this issue, but I think GenericCheck also can be enhanced by interpreting right-hand side.

I excerpt from the official docs

     <some_attribute>:%(user.id)s

     The value on the right-hand side is either a string or resolves to a string using regular
     Python string substitution. The available attributes and values are dependent on the program
     that is using the common policy engine.

%(user.id) would be resolved to a string, but I found list type like $(tags) would not be considered.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.