checker CLI does not enumerate all rules for glance

Bug #1797739 reported by Adam Young on 2018-10-14
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
oslo.policy
Undecided
Adam Young

Bug Description

Something about the glance.json policy file stops the CLI checker from enumerating all the rules;

sample input:

oslopolicy-checker --policy /opt/stack/glance/etc/policy.json --access /opt/stack/python-keystoneclient/examples/pki/cms/auth_v3_token_scoped.json

Return no output. However (with a doctored access file to add the Member or admin role) individual rules will pass

$ oslopolicy-checker --policy etc/glance/policy.json --access /opt/stack/python-keystoneclient/examples/pki/cms/auth_v3_token_scoped.json --rule modify_task
failed: modify_task

$ oslopolicy-checker --policy etc/glance/policy.json --access /opt/stack/python-keystoneclient/examples/pki/cms/auth_v3_token_scoped.json --rule reactivate
passed: reactivate

Adam Young (ayoung) on 2018-10-14
Changed in oslo.policy:
assignee: nobody → Adam Young (ayoung)
Adam Young (ayoung) wrote :

Turns out the checker looks for a : in the rules, as most of the other services are formatted like identity:create_user, but glance has no namespace.

Changed in oslo.policy:
status: New → In Progress
Adam Young (ayoung) wrote :

Going to add a flag to make it possible to override the : check. I don't want to remove that check completely, as that would break people's score cards by evaluating things like is_admin and other common checks that the : check was skipping.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers