Keystone fails to log policy target data
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
oslo.policy |
Fix Released
|
Undecided
|
John Dennis |
Bug Description
The Oslo Policy Enforcer requires 3 pieces of run-time information in addition to the policy rules to issue a RBAC decision:
1) the name of the rule to be evaluated (called target in the oslo-policy doc)
2) the auth context (called credentials in the oslo-policy doc)
3) the target data (resource data relevant to the rule)
If you are trying to debug policy enforcement or simply validate your policy works as expect one can use the oslopolicy-checker tool. But the oslopolicy-checker tool needs the *exact* same data keystone passes to the policy enforcement engine.
The fact the target data needs to be logged but isn't is captured in this comment from Henry Nash in authorize.py
# TODO(henry-nash) need to log the target attributes as well
https:/
But that is not the best location to log, the best place is where oslo.policy is called to evaluate a policy rule, that occurs in Policy.enforce() in keystone/
https:/
Here we can see it logs the rule name (e.g. action) and the auth context (credentials)
msg = 'enforce %(action)s: %(credentials)s'
but the target data is not logged.
Besides the fact the target data is not logged is the fact the logging relies on Python's str() method to convert an object into a string representation. This has two problems, 1) all contained objects must also have __str__() methods that fully log their contents, 2) the formatting is often in Python's "representation" style which only humans and Python can parse.
Since both the credential and targets parameters to the enforce method are dicts (with arbitrary complex nesting) and the fact JSON is the data format we use for data exchange and the format used by oslopolicy-checker it makes sense to log the enforcement parameters in JSON format. This way no data is lost (because there wasn't an appropriate formatter for the object) and it makes it easy import the data to another tool (again, without loss of data).
no longer affects: | keystone |
Fix proposed to branch: stable/rocky /review. openstack. org/618911
Review: https:/