2020-05-27 14:04:57 |
Dmitrii Shcherbakov |
bug |
|
|
added bug |
2020-05-27 14:10:49 |
Dmitrii Shcherbakov |
bug task added |
|
oslo.policy |
|
2020-05-27 14:11:02 |
OpenStack Infra |
oslo.policy: status |
New |
In Progress |
|
2020-05-27 14:11:02 |
OpenStack Infra |
oslo.policy: assignee |
|
Dmitrii Shcherbakov (dmitriis) |
|
2020-05-27 15:28:56 |
Dmitrii Shcherbakov |
bug |
|
|
added subscriber Corey Bryant |
2020-05-27 16:45:54 |
Corey Bryant |
nominated for series |
|
Ubuntu Groovy |
|
2020-05-27 16:45:54 |
Corey Bryant |
bug task added |
|
python-oslo.policy (Ubuntu Groovy) |
|
2020-05-27 16:46:03 |
Corey Bryant |
python-oslo.policy (Ubuntu Groovy): status |
New |
Triaged |
|
2020-05-27 16:46:04 |
Corey Bryant |
python-oslo.policy (Ubuntu Groovy): importance |
Undecided |
High |
|
2020-05-27 18:34:12 |
Corey Bryant |
description |
Based on the investigation here https://bugs.launchpad.net/charm-keystone/+bug/1880847 it was determined that rules from policy files located in the directory specified in the policy_dirs option (/etc/<config_dir>/policy.d by default) are not re-applied after the rules from the primary policy file is re-applied due to a change.
This leads to scenarios where incorrect rule combinations are active.
Example from the test case in 1880847:
* policy.json gets read with the following rule;
"identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
* rule.yaml from policy.d is read with the following rule;
{'identity:list_credentials': '!'}
* policy.json's mtime gets updated (with or without a content change) and overrides the rule to be
"identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
* rule.yaml doesn't get reapplied since it hasn't changed. |
[Impact]
Based on the investigation here https://bugs.launchpad.net/charm-keystone/+bug/1880847 it was determined that rules from policy files located in the directory specified in the policy_dirs option (/etc/<config_dir>/policy.d by default) are not re-applied after the rules from the primary policy file is re-applied due to a change.
This leads to scenarios where incorrect rule combinations are active.
Example from the test case in 1880847:
* policy.json gets read with the following rule;
"identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
* rule.yaml from policy.d is read with the following rule;
{'identity:list_credentials': '!'}
* policy.json's mtime gets updated (with or without a content change) and overrides the rule to be
"identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
* rule.yaml doesn't get reapplied since it hasn't changed.
[Test Case]
TBD
[Regression Potential]
TBD |
|
2020-05-27 18:37:20 |
Corey Bryant |
nominated for series |
|
Ubuntu Xenial |
|
2020-05-27 18:37:20 |
Corey Bryant |
bug task added |
|
python-oslo.policy (Ubuntu Xenial) |
|
2020-05-27 18:37:20 |
Corey Bryant |
nominated for series |
|
Ubuntu Eoan |
|
2020-05-27 18:37:20 |
Corey Bryant |
bug task added |
|
python-oslo.policy (Ubuntu Eoan) |
|
2020-05-27 18:37:20 |
Corey Bryant |
nominated for series |
|
Ubuntu Bionic |
|
2020-05-27 18:37:20 |
Corey Bryant |
bug task added |
|
python-oslo.policy (Ubuntu Bionic) |
|
2020-05-27 18:37:28 |
Corey Bryant |
python-oslo.policy (Ubuntu Xenial): status |
New |
Triaged |
|
2020-05-27 18:37:34 |
Corey Bryant |
python-oslo.policy (Ubuntu Bionic): status |
New |
Triaged |
|
2020-05-27 18:37:36 |
Corey Bryant |
python-oslo.policy (Ubuntu Eoan): status |
New |
Triaged |
|
2020-05-27 18:37:39 |
Corey Bryant |
python-oslo.policy (Ubuntu Eoan): importance |
Undecided |
High |
|
2020-05-27 18:37:42 |
Corey Bryant |
python-oslo.policy (Ubuntu Bionic): importance |
Undecided |
High |
|
2020-05-27 18:37:44 |
Corey Bryant |
python-oslo.policy (Ubuntu Xenial): importance |
Undecided |
High |
|
2020-05-27 18:38:16 |
Corey Bryant |
bug task added |
|
cloud-archive |
|
2020-05-27 18:38:59 |
Corey Bryant |
nominated for series |
|
cloud-archive/ussuri |
|
2020-05-27 18:38:59 |
Corey Bryant |
bug task added |
|
cloud-archive/ussuri |
|
2020-05-27 18:38:59 |
Corey Bryant |
nominated for series |
|
cloud-archive/queens |
|
2020-05-27 18:38:59 |
Corey Bryant |
bug task added |
|
cloud-archive/queens |
|
2020-05-27 18:38:59 |
Corey Bryant |
nominated for series |
|
cloud-archive/train |
|
2020-05-27 18:38:59 |
Corey Bryant |
bug task added |
|
cloud-archive/train |
|
2020-05-27 18:38:59 |
Corey Bryant |
nominated for series |
|
cloud-archive/stein |
|
2020-05-27 18:38:59 |
Corey Bryant |
bug task added |
|
cloud-archive/stein |
|
2020-05-27 18:38:59 |
Corey Bryant |
nominated for series |
|
cloud-archive/mitaka |
|
2020-05-27 18:38:59 |
Corey Bryant |
bug task added |
|
cloud-archive/mitaka |
|
2020-05-27 18:38:59 |
Corey Bryant |
nominated for series |
|
cloud-archive/rocky |
|
2020-05-27 18:38:59 |
Corey Bryant |
bug task added |
|
cloud-archive/rocky |
|
2020-05-27 18:39:15 |
Corey Bryant |
cloud-archive/mitaka: importance |
Undecided |
High |
|
2020-05-27 18:39:15 |
Corey Bryant |
cloud-archive/mitaka: status |
New |
Triaged |
|
2020-05-27 18:39:27 |
Corey Bryant |
cloud-archive/queens: importance |
Undecided |
High |
|
2020-05-27 18:39:27 |
Corey Bryant |
cloud-archive/queens: status |
New |
Triaged |
|
2020-05-27 18:39:41 |
Corey Bryant |
cloud-archive/rocky: importance |
Undecided |
High |
|
2020-05-27 18:39:41 |
Corey Bryant |
cloud-archive/rocky: status |
New |
Triaged |
|
2020-05-27 18:39:54 |
Corey Bryant |
cloud-archive/stein: importance |
Undecided |
High |
|
2020-05-27 18:39:54 |
Corey Bryant |
cloud-archive/stein: status |
New |
Triaged |
|
2020-05-27 18:40:04 |
Corey Bryant |
cloud-archive/train: importance |
Undecided |
High |
|
2020-05-27 18:40:04 |
Corey Bryant |
cloud-archive/train: status |
New |
Triaged |
|
2020-05-27 18:40:18 |
Corey Bryant |
cloud-archive/ussuri: importance |
Undecided |
High |
|
2020-05-27 18:40:18 |
Corey Bryant |
cloud-archive/ussuri: status |
New |
Triaged |
|
2020-05-28 08:58:55 |
Dmitrii Shcherbakov |
attachment added |
|
test_1880959.py https://bugs.launchpad.net/ubuntu/+source/python-oslo.policy/+bug/1880959/+attachment/5377753/+files/test_1880959.py |
|
2020-05-29 13:45:19 |
Dmitrii Shcherbakov |
description |
[Impact]
Based on the investigation here https://bugs.launchpad.net/charm-keystone/+bug/1880847 it was determined that rules from policy files located in the directory specified in the policy_dirs option (/etc/<config_dir>/policy.d by default) are not re-applied after the rules from the primary policy file is re-applied due to a change.
This leads to scenarios where incorrect rule combinations are active.
Example from the test case in 1880847:
* policy.json gets read with the following rule;
"identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
* rule.yaml from policy.d is read with the following rule;
{'identity:list_credentials': '!'}
* policy.json's mtime gets updated (with or without a content change) and overrides the rule to be
"identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
* rule.yaml doesn't get reapplied since it hasn't changed.
[Test Case]
TBD
[Regression Potential]
TBD |
[Impact]
Based on the investigation here https://bugs.launchpad.net/charm-keystone/+bug/1880847 it was determined that rules from policy files located in the directory specified in the policy_dirs option (/etc/<config_dir>/policy.d by default) are not re-applied after the rules from the primary policy file is re-applied due to a change.
This leads to scenarios where incorrect rule combinations are active.
Example from the test case in 1880847:
* policy.json gets read with the following rule;
"identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
* rule.yaml from policy.d is read with the following rule;
{'identity:list_credentials': '!'}
* policy.json's mtime gets updated (with or without a content change) and overrides the rule to be
"identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
* rule.yaml doesn't get reapplied since it hasn't changed.
[Test Case]
For a particular version of oslo.policy:
* put the attached test (https://bugs.launchpad.net/ubuntu/+source/python-oslo.policy/+bug/1880959/+attachment/5377753/+files/test_1880959.py) under oslo_policy/tests/test_1880959.py;
* run tox -e cover -- oslo_policy.tests.test_1880959.EnforcerTest;
* observe the failure;
# ...
testtools.matchers._impl.MismatchError: 'role:fakeA' != 'rule:admin'
Ran 1 tests in 0.005s (+0.001s)
FAILED (id=1, failures=1)
* apply the patch;
* run tox -e cover -- oslo_policy.tests.test_1880959.EnforcerTest
* observe that the failure is no longer there.
[Regression Potential]
The regression potential is low given that there is test coverage in the olso.policy unit tests. |
|
2020-06-08 16:23:57 |
OpenStack Infra |
oslo.policy: status |
In Progress |
Fix Released |
|
2020-06-19 09:32:13 |
Pedro Guimarães |
tags |
|
cpe-onsite |
|
2020-06-22 17:35:22 |
OpenStack Infra |
cloud-archive/ussuri: status |
In Progress |
Fix Committed |
|
2020-06-25 14:57:03 |
Corey Bryant |
description |
[Impact]
Based on the investigation here https://bugs.launchpad.net/charm-keystone/+bug/1880847 it was determined that rules from policy files located in the directory specified in the policy_dirs option (/etc/<config_dir>/policy.d by default) are not re-applied after the rules from the primary policy file is re-applied due to a change.
This leads to scenarios where incorrect rule combinations are active.
Example from the test case in 1880847:
* policy.json gets read with the following rule;
"identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
* rule.yaml from policy.d is read with the following rule;
{'identity:list_credentials': '!'}
* policy.json's mtime gets updated (with or without a content change) and overrides the rule to be
"identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
* rule.yaml doesn't get reapplied since it hasn't changed.
[Test Case]
For a particular version of oslo.policy:
* put the attached test (https://bugs.launchpad.net/ubuntu/+source/python-oslo.policy/+bug/1880959/+attachment/5377753/+files/test_1880959.py) under oslo_policy/tests/test_1880959.py;
* run tox -e cover -- oslo_policy.tests.test_1880959.EnforcerTest;
* observe the failure;
# ...
testtools.matchers._impl.MismatchError: 'role:fakeA' != 'rule:admin'
Ran 1 tests in 0.005s (+0.001s)
FAILED (id=1, failures=1)
* apply the patch;
* run tox -e cover -- oslo_policy.tests.test_1880959.EnforcerTest
* observe that the failure is no longer there.
[Regression Potential]
The regression potential is low given that there is test coverage in the olso.policy unit tests. |
[Impact]
Based on the investigation here https://bugs.launchpad.net/charm-keystone/+bug/1880847 it was determined that rules from policy files located in the directory specified in the policy_dirs option (/etc/<config_dir>/policy.d by default) are not re-applied after the rules from the primary policy file is re-applied due to a change.
This leads to scenarios where incorrect rule combinations are active.
Example from the test case in 1880847:
* policy.json gets read with the following rule;
"identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
* rule.yaml from policy.d is read with the following rule;
{'identity:list_credentials': '!'}
* policy.json's mtime gets updated (with or without a content change) and overrides the rule to be
"identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
* rule.yaml doesn't get reapplied since it hasn't changed.
[Test Case]
== ubuntu ==
The patches include unit tests that ensure the code is behaving as expected and has not regressed. These tests are run during every package build.
== upstream ==
For a particular version of oslo.policy:
* put the attached test (https://bugs.launchpad.net/ubuntu/+source/python-oslo.policy/+bug/1880959/+attachment/5377753/+files/test_1880959.py) under oslo_policy/tests/test_1880959.py;
* run tox -e cover -- oslo_policy.tests.test_1880959.EnforcerTest;
* observe the failure;
# ...
testtools.matchers._impl.MismatchError: 'role:fakeA' != 'rule:admin'
Ran 1 tests in 0.005s (+0.001s)
FAILED (id=1, failures=1)
* apply the patch;
* run tox -e cover -- oslo_policy.tests.test_1880959.EnforcerTest
* observe that the failure is no longer there.
[Regression Potential]
The regression potential is low given that there is test coverage in the olso.policy unit tests. |
|
2020-06-25 14:57:59 |
Corey Bryant |
cloud-archive/ussuri: status |
Fix Committed |
Triaged |
|
2020-06-25 14:58:10 |
Corey Bryant |
cloud-archive/train: status |
In Progress |
Triaged |
|
2020-06-25 14:58:20 |
Corey Bryant |
cloud-archive/stein: status |
In Progress |
Triaged |
|
2020-06-25 14:58:29 |
Corey Bryant |
cloud-archive/rocky: status |
In Progress |
Triaged |
|
2020-06-25 14:58:39 |
Corey Bryant |
cloud-archive/queens: status |
In Progress |
Triaged |
|
2020-06-25 14:58:48 |
Corey Bryant |
cloud-archive: status |
In Progress |
Triaged |
|
2020-06-25 18:32:11 |
Corey Bryant |
python-oslo.policy (Ubuntu Eoan): status |
Triaged |
Won't Fix |
|
2020-06-25 18:53:58 |
Corey Bryant |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2020-06-25 19:33:34 |
Corey Bryant |
cloud-archive: status |
Triaged |
Fix Committed |
|
2020-06-26 05:32:49 |
Launchpad Janitor |
python-oslo.policy (Ubuntu Groovy): status |
Triaged |
Fix Released |
|
2020-06-26 18:49:50 |
Corey Bryant |
cloud-archive: status |
Fix Committed |
Fix Released |
|
2020-06-29 22:29:45 |
OpenStack Infra |
cloud-archive/train: status |
Triaged |
Fix Committed |
|
2020-06-30 17:37:23 |
Brian Murray |
python-oslo.policy (Ubuntu Focal): status |
New |
Fix Committed |
|
2020-06-30 17:37:26 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
2020-06-30 17:37:31 |
Brian Murray |
tags |
cpe-onsite |
cpe-onsite verification-needed verification-needed-focal |
|
2020-06-30 19:37:19 |
Corey Bryant |
cloud-archive/ussuri: status |
Triaged |
Fix Committed |
|
2020-06-30 19:37:22 |
Corey Bryant |
tags |
cpe-onsite verification-needed verification-needed-focal |
cpe-onsite verification-needed verification-needed-focal verification-ussuri-needed |
|
2020-06-30 19:42:52 |
Corey Bryant |
tags |
cpe-onsite verification-needed verification-needed-focal verification-ussuri-needed |
cpe-onsite verification-needed verification-needed-focal verification-train-needed verification-ussuri-needed |
|
2020-06-30 19:45:27 |
Corey Bryant |
cloud-archive/stein: status |
Triaged |
Fix Committed |
|
2020-06-30 19:45:29 |
Corey Bryant |
tags |
cpe-onsite verification-needed verification-needed-focal verification-train-needed verification-ussuri-needed |
cpe-onsite verification-needed verification-needed-focal verification-stein-needed verification-train-needed verification-ussuri-needed |
|
2020-07-08 21:17:26 |
Jason Hobbs |
bug |
|
|
added subscriber Canonical Field High |
2020-07-10 14:53:45 |
Dmitrii Shcherbakov |
tags |
cpe-onsite verification-needed verification-needed-focal verification-stein-needed verification-train-needed verification-ussuri-needed |
cpe-onsite verification-needed verification-needed-focal verification-stein-needed verification-train-needed verification-ussuri-done |
|
2020-07-10 17:26:04 |
Dmitrii Shcherbakov |
tags |
cpe-onsite verification-needed verification-needed-focal verification-stein-needed verification-train-needed verification-ussuri-done |
cpe-onsite verification-needed verification-needed-focal verification-stein-needed verification-train-done verification-ussuri-done |
|
2020-07-10 17:39:57 |
Dmitrii Shcherbakov |
tags |
cpe-onsite verification-needed verification-needed-focal verification-stein-needed verification-train-done verification-ussuri-done |
cpe-onsite verification-needed verification-needed-focal verification-stein-done verification-train-done verification-ussuri-done |
|
2020-07-10 18:01:48 |
Dmitrii Shcherbakov |
tags |
cpe-onsite verification-needed verification-needed-focal verification-stein-done verification-train-done verification-ussuri-done |
cpe-onsite verification-done-focal verification-needed verification-stein-done verification-train-done verification-ussuri-done |
|
2020-07-13 12:52:03 |
Corey Bryant |
tags |
cpe-onsite verification-done-focal verification-needed verification-stein-done verification-train-done verification-ussuri-done |
cpe-onsite verification-done verification-done-focal verification-stein-done verification-train-done verification-ussuri-done |
|
2020-07-14 13:57:33 |
Corey Bryant |
cloud-archive/mitaka: status |
Triaged |
Won't Fix |
|
2020-07-14 13:57:47 |
Corey Bryant |
python-oslo.policy (Ubuntu Xenial): status |
Triaged |
Won't Fix |
|
2020-07-14 15:29:00 |
Corey Bryant |
cloud-archive/rocky: status |
In Progress |
Fix Committed |
|
2020-07-14 15:29:01 |
Corey Bryant |
tags |
cpe-onsite verification-done verification-done-focal verification-stein-done verification-train-done verification-ussuri-done |
cpe-onsite verification-done verification-done-focal verification-rocky-needed verification-stein-done verification-train-done verification-ussuri-done |
|
2020-07-21 16:17:40 |
Brian Murray |
tags |
cpe-onsite verification-done verification-done-focal verification-rocky-needed verification-stein-done verification-train-done verification-ussuri-done |
cpe-onsite verification-done verification-needed-focal verification-rocky-needed verification-stein-done verification-train-done verification-ussuri-done |
|
2020-07-22 16:12:43 |
Dmitrii Shcherbakov |
tags |
cpe-onsite verification-done verification-needed-focal verification-rocky-needed verification-stein-done verification-train-done verification-ussuri-done |
cpe-onsite verification-done verification-done-focal verification-rocky-needed verification-stein-done verification-train-done verification-ussuri-done |
|
2020-07-23 11:27:08 |
Łukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2020-07-23 11:37:12 |
Launchpad Janitor |
python-oslo.policy (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
2020-07-23 13:28:35 |
Corey Bryant |
tags |
cpe-onsite verification-done verification-done-focal verification-rocky-needed verification-stein-done verification-train-done verification-ussuri-done |
cpe-onsite verification-done verification-done-focal verification-rocky-done verification-stein-done verification-train-done verification-ussuri-done |
|
2020-07-23 13:33:10 |
Corey Bryant |
cloud-archive/ussuri: status |
Fix Committed |
Fix Released |
|
2020-07-23 13:35:20 |
Corey Bryant |
cloud-archive/train: status |
Fix Committed |
Fix Released |
|
2020-07-23 13:37:16 |
Corey Bryant |
cloud-archive/stein: status |
Fix Committed |
Fix Released |
|
2020-07-23 13:41:12 |
Corey Bryant |
cloud-archive/rocky: status |
Fix Committed |
Fix Released |
|
2020-07-28 20:58:18 |
Brian Murray |
python-oslo.policy (Ubuntu Bionic): status |
Triaged |
Fix Committed |
|
2020-07-28 20:58:21 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2020-07-28 20:58:26 |
Brian Murray |
tags |
cpe-onsite verification-done verification-done-focal verification-rocky-done verification-stein-done verification-train-done verification-ussuri-done |
cpe-onsite verification-done-focal verification-needed verification-needed-bionic verification-rocky-done verification-stein-done verification-train-done verification-ussuri-done |
|
2020-07-29 12:25:16 |
Corey Bryant |
cloud-archive/queens: status |
Triaged |
Fix Committed |
|
2020-07-29 12:25:18 |
Corey Bryant |
tags |
cpe-onsite verification-done-focal verification-needed verification-needed-bionic verification-rocky-done verification-stein-done verification-train-done verification-ussuri-done |
cpe-onsite verification-done-focal verification-needed verification-needed-bionic verification-queens-needed verification-rocky-done verification-stein-done verification-train-done verification-ussuri-done |
|
2020-07-29 12:47:24 |
Dmitrii Shcherbakov |
tags |
cpe-onsite verification-done-focal verification-needed verification-needed-bionic verification-queens-needed verification-rocky-done verification-stein-done verification-train-done verification-ussuri-done |
cpe-onsite verification-done-bionic verification-done-focal verification-needed verification-queens-needed verification-rocky-done verification-stein-done verification-train-done verification-ussuri-done |
|
2020-07-31 11:41:37 |
Dmitrii Shcherbakov |
tags |
cpe-onsite verification-done-bionic verification-done-focal verification-needed verification-queens-needed verification-rocky-done verification-stein-done verification-train-done verification-ussuri-done |
cpe-onsite verification-done verification-done-bionic verification-done-focal verification-queens-done verification-rocky-done verification-stein-done verification-train-done verification-ussuri-done |
|
2020-08-04 08:07:30 |
Launchpad Janitor |
python-oslo.policy (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
2020-08-10 13:56:28 |
Corey Bryant |
cloud-archive/queens: status |
Fix Committed |
Fix Released |
|
2020-08-10 21:36:38 |
OpenStack Infra |
tags |
cpe-onsite verification-done verification-done-bionic verification-done-focal verification-queens-done verification-rocky-done verification-stein-done verification-train-done verification-ussuri-done |
cpe-onsite in-stable-rocky verification-done verification-done-bionic verification-done-focal verification-queens-done verification-rocky-done verification-stein-done verification-train-done verification-ussuri-done |
|
2020-09-09 11:45:08 |
OpenStack Infra |
tags |
cpe-onsite in-stable-rocky verification-done verification-done-bionic verification-done-focal verification-queens-done verification-rocky-done verification-stein-done verification-train-done verification-ussuri-done |
cpe-onsite in-stable-queens in-stable-rocky verification-done verification-done-bionic verification-done-focal verification-queens-done verification-rocky-done verification-stein-done verification-train-done verification-ussuri-done |
|