[Bug 1880959] Fix merged to oslo.policy (stable/stein)

OpenStack Infra 1880959 at bugs.launchpad.net
Wed Jul 1 11:05:11 UTC 2020


Reviewed:  https://review.opendev.org/734155
Committed: https://git.openstack.org/cgit/openstack/oslo.policy/commit/?id=a49f31d3fc7690e3d15bc2428660b537967c89cc
Submitter: Zuul
Branch:    stable/stein

commit a49f31d3fc7690e3d15bc2428660b537967c89cc
Author: Dmitrii Shcherbakov <dmitrii.shcherbakov at canonical.com>
Date:   Wed May 27 17:06:25 2020 +0300

    Reload files in policy_dirs on primary file change
    
    It was determined that rules from policy files located in the directory
    specified in the policy_dirs option (/etc/<config_dir>/policy.d by
    default) are not re-applied after the rules from the primary policy file
    is re-applied due to a change.
    
    This change introduces additional behavior to make sure the rules from
    policy_dirs are reapplied if there is a change to the primary policy
    file.
    
    Change-Id: I8a6f8e971d881365c41ea409966723319d5b239a
    Closes-Bug: #1880959
    Related-Bug: #1880847
    (cherry picked from commit 75677a31108243e0adddc89f1fbf669053f9573b)
    (cherry picked from commit 5904564bf13bbac7d66e00ec6312487c507f09c4)

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1880959

Title:
  Rules from the policy directory files are not reapplied after changes
  to the primary policy file

Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive mitaka series:
  Triaged
Status in Ubuntu Cloud Archive queens series:
  Triaged
Status in Ubuntu Cloud Archive rocky series:
  Triaged
Status in Ubuntu Cloud Archive stein series:
  Fix Committed
Status in Ubuntu Cloud Archive train series:
  Fix Committed
Status in Ubuntu Cloud Archive ussuri series:
  Fix Committed
Status in oslo.policy:
  Fix Released
Status in python-oslo.policy package in Ubuntu:
  Fix Released
Status in python-oslo.policy source package in Xenial:
  Triaged
Status in python-oslo.policy source package in Bionic:
  Triaged
Status in python-oslo.policy source package in Eoan:
  Won't Fix
Status in python-oslo.policy source package in Focal:
  Fix Committed
Status in python-oslo.policy source package in Groovy:
  Fix Released

Bug description:
  [Impact]
  Based on the investigation here https://bugs.launchpad.net/charm-keystone/+bug/1880847 it was determined that rules from policy files located in the directory specified in the policy_dirs option (/etc/<config_dir>/policy.d by default) are not re-applied after the rules from the primary policy file is re-applied due to a change.

  This leads to scenarios where incorrect rule combinations are active.

  Example from the test case in 1880847:

  * policy.json gets read with the following rule;
      "identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
  * rule.yaml from policy.d is read with the following rule;
  {'identity:list_credentials': '!'}
  * policy.json's mtime gets updated (with or without a content change) and overrides the rule to be
      "identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
  * rule.yaml doesn't get reapplied since it hasn't changed.

  [Test Case]
  == ubuntu ==

  The patches include unit tests that ensure the code is behaving as
  expected and has not regressed. These tests are run during every
  package build.

  == upstream ==
  For a particular version of oslo.policy:

  * put the attached test (https://bugs.launchpad.net/ubuntu/+source
  /python-
  oslo.policy/+bug/1880959/+attachment/5377753/+files/test_1880959.py)
  under oslo_policy/tests/test_1880959.py;

  * run tox -e cover -- oslo_policy.tests.test_1880959.EnforcerTest;
  * observe the failure;
  # ...
  testtools.matchers._impl.MismatchError: 'role:fakeA' != 'rule:admin'
  Ran 1 tests in 0.005s (+0.001s)
  FAILED (id=1, failures=1)

  * apply the patch;
  * run tox -e cover -- oslo_policy.tests.test_1880959.EnforcerTest
  * observe that the failure is no longer there.

  [Regression Potential]
  The regression potential is low given that there is test coverage in the olso.policy unit tests.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1880959/+subscriptions



More information about the Ubuntu-openstack-bugs mailing list