oslo.policy

Improve documentation of what data is used in checks

Bug #1886857 reported by Ben Nemec
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
oslo.policy
Fix Released
High
Raildo Mascena de Sousa Filho

Bug Description

The examples in the documentation[0] use a number of "magic" values such as project_id and user_id, but don't discuss where they come from or how someone writing a policy would find out all of the values available to them. Further, there is little/no discussion of how to determine what data is available in the target object[1]. I've included a very brief mention of that in [2], but I think it would be good to make it a more prominent part of the docs as it is very important for anyone writing their own policy rules.

0: https://docs.openstack.org/oslo.policy/latest/admin/policy-yaml-file.html
1: This is further confused by the fact that "target" is an overloaded term. The docs use it to refer to the name of the rule, while the code uses it to refer to the object being operated on by the API call. We should also address that.
2: https://review.opendev.org/740073

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to oslo.policy (master)

Fix proposed to branch: master
Review: https://review.opendev.org/743318

Changed in oslo.policy:
assignee: nobody → Raildo Mascena de Sousa Filho (raildo)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to oslo.policy (master)

Reviewed: https://review.opendev.org/c/openstack/oslo.policy/+/743318
Committed: https://opendev.org/openstack/oslo.policy/commit/50b7600887d1cd95dbe71786639f2d5bafa33639
Submitter: "Zuul (22348)"
Branch: master

commit 50b7600887d1cd95dbe71786639f2d5bafa33639
Author: Raildo Mascena <email address hidden>
Date: Mon Jul 27 16:10:20 2020 -0300

    Improving documentation about target resources

    Sometimes it's not easy to identify the target resource based on the API call.

    Adding some more details on how API attribute is used as a targer, with an
    example on how to compare the API calls logs with the target resource would
    help to debug policy issues.

    Change-Id: I1318cceb5c0a32c258e6799a872a5dea6482c6de
    Closes-Bug: #1886857

Changed in oslo.policy:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/oslo.policy 3.8.0

This issue was fixed in the openstack/oslo.policy 3.8.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.