[Bug 1880959] Re: Rules from the policy directory files are not reapplied after changes to the primary policy file

Dmitrii Shcherbakov 1880959 at bugs.launchpad.net
Fri Jul 10 14:53:26 UTC 2020 

Verified Ussuri (on Focal):

root at oslop-f:/tmp/oslo.policy/python-oslo.policy# git remote show origin
* remote origin
  Fetch URL: https://git.launchpad.net/~ubuntu-server-dev/ubuntu/+source/python-oslo.policy
  Push  URL: https://git.launchpad.net/~ubuntu-server-dev/ubuntu/+source/python-oslo.policy
# ...

root at oslop-f:/tmp/oslo.policy/python-oslo.policy# git status
On branch stable/ussuri
Your branch is up to date with 'origin/stable/ussuri'.
# ...

root at oslop-f:/tmp/oslo.policy/python-oslo.policy# export QUILT_PATCHES=debian/patches
root at oslop-f:/tmp/oslo.policy/python-oslo.policy# quilt push
Applying patch debian/patches/reload-policy-files.patch
patching file oslo_policy/policy.py
patching file oslo_policy/tests/test_policy.py
patching file releasenotes/notes/bug-1880959-8f1370a59759d40d.yaml

Now at patch debian/patches/reload-policy-files.patch


root at oslop-f:/tmp/oslo.policy/python-oslo.policy# tox -e py38 -- oslo_policy.tests.test_policy.EnforcerTest.test_load_directory_after_file_update
GLOB sdist-make: /tmp/oslo.policy/python-oslo.policy/setup.py
py38 inst-nodeps: /tmp/oslo.policy/python-oslo.policy/.tox/.tmp/package/1/oslo.policy-3.1.0.zip
py38 installed: alabaster==0.7.12,appdirs==1.4.3,attrs==19.3.0,Babel==2.8.0,bandit==1.5.1,CacheControl==0.12.6,certifi==2020.6.20,chardet==3.0.4,cliff==3.3.0,cmd2==1.1.0,colorama==0.4.3,contextlib2==0.6.0,coverage==5.2,debtcollector==2.1.0,distlib==0.3.0,distro==1.4.0,docutils==0.15.2,dulwich==0.20.5,entrypoints==0.3,extras==1.0.0,fixtures==3.0.0,flake8==3.7.9,future==0.18.2,gitdb==4.0.5,GitPython==3.1.3,hacking==3.0.1,html5lib==1.0.1,idna==2.10,imagesize==1.2.0,ipaddr==2.2.0,iso8601==0.1.12,Jinja2==2.11.2,linecache2==1.0.0,lockfile==0.12.2,MarkupSafe==1.1.1,mccabe==0.6.1,msgpack==0.6.1,netaddr==0.8.0,netifaces==0.10.9,openstackdocstheme==2.2.4,oslo.config==8.2.0,oslo.context==3.1.0,oslo.i18n==5.0.0,oslo.policy==3.1.0,oslo.serialization==4.0.0,oslo.utils==4.2.2,oslotest==4.4.0,packaging==20.4,pbr==5.4.5,pep517==0.8.2,prettytable==0.7.2,progress==1.5,pycodestyle==2.5.0,pyflakes==2.1.1,Pygments==2.6.1,pyparsing==2.4.7,pyperclip==1.8.0,python-mimeparse==1.6.0,python-subunit==1.4.0,pytoml==0.1.21,pytz==2020.1,PyYAML==5.3.1,reno==3.1.0,requests==2.23.0,requests-mock==1.8.0,retrying==1.3.3,rfc3986==1.4.0,six==1.15.0,smmap==3.0.4,snowballstemmer==2.0.0,Sphinx==3.1.2,sphinxcontrib-apidoc==0.3.0,sphinxcontrib-applehelp==1.0.2,sphinxcontrib-devhelp==1.0.2,sphinxcontrib-htmlhelp==1.0.3,sphinxcontrib-jsmath==1.0.1,sphinxcontrib-qthelp==1.0.3,sphinxcontrib-serializinghtml==1.1.4,stestr==3.0.1,stevedore==2.0.1,testtools==2.4.0,traceback2==1.4.0,unittest2==1.1.0,urllib3==1.25.9,voluptuous==0.11.7,wcwidth==0.2.5,webencodings==0.5.1,wrapt==1.12.1
py38 run-test-pre: PYTHONHASHSEED='930512441'
py38 run-test: commands[0] | stestr run --slowest oslo_policy.tests.test_policy.EnforcerTest.test_load_directory_after_file_update
 WARNING [oslo_policy.policy] Policies ['foo'] reference a rule that is not defined.
{0} oslo_policy.tests.test_policy.EnforcerTest.test_load_directory_after_file_update [0.003257s] ... ok

======
Totals
======
Ran: 1 tests in 0.0033 sec.
 - Passed: 1
 - Skipped: 0
 - Expected Fail: 0
 - Unexpected Success: 0
 - Failed: 0
Sum of execute time for each test: 0.0033 sec.

==============
Worker Balance
==============
 - Worker 0 (1 tests) => 0:00:00.003257
Test id                                                                           Runtime (s)
--------------------------------------------------------------------------------  -----------
oslo_policy.tests.test_policy.EnforcerTest.test_load_directory_after_file_update  0.003
______________________________________________________________________________ summary _______________________________________________________________________________
  py38: commands succeeded
  congratulations :)


** Tags removed: verification-ussuri-needed
** Tags added: verification-ussuri-done

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1880959

Title:
  Rules from the policy directory files are not reapplied after changes
  to the primary policy file

Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive mitaka series:
  Triaged
Status in Ubuntu Cloud Archive queens series:
  Triaged
Status in Ubuntu Cloud Archive rocky series:
  In Progress
Status in Ubuntu Cloud Archive stein series:
  Fix Committed
Status in Ubuntu Cloud Archive train series:
  Fix Committed
Status in Ubuntu Cloud Archive ussuri series:
  Fix Committed
Status in oslo.policy:
  Fix Released
Status in python-oslo.policy package in Ubuntu:
  Fix Released
Status in python-oslo.policy source package in Xenial:
  Triaged
Status in python-oslo.policy source package in Bionic:
  Triaged
Status in python-oslo.policy source package in Eoan:
  Won't Fix
Status in python-oslo.policy source package in Focal:
  Fix Committed
Status in python-oslo.policy source package in Groovy:
  Fix Released

Bug description:
  [Impact]
  Based on the investigation here https://bugs.launchpad.net/charm-keystone/+bug/1880847 it was determined that rules from policy files located in the directory specified in the policy_dirs option (/etc/<config_dir>/policy.d by default) are not re-applied after the rules from the primary policy file is re-applied due to a change.

  This leads to scenarios where incorrect rule combinations are active.

  Example from the test case in 1880847:

  * policy.json gets read with the following rule;
      "identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
  * rule.yaml from policy.d is read with the following rule;
  {'identity:list_credentials': '!'}
  * policy.json's mtime gets updated (with or without a content change) and overrides the rule to be
      "identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
  * rule.yaml doesn't get reapplied since it hasn't changed.

  [Test Case]
  == ubuntu ==

  The patches include unit tests that ensure the code is behaving as
  expected and has not regressed. These tests are run during every
  package build.

  == upstream ==
  For a particular version of oslo.policy:

  * put the attached test (https://bugs.launchpad.net/ubuntu/+source
  /python-
  oslo.policy/+bug/1880959/+attachment/5377753/+files/test_1880959.py)
  under oslo_policy/tests/test_1880959.py;

  * run tox -e cover -- oslo_policy.tests.test_1880959.EnforcerTest;
  * observe the failure;
  # ...
  testtools.matchers._impl.MismatchError: 'role:fakeA' != 'rule:admin'
  Ran 1 tests in 0.005s (+0.001s)
  FAILED (id=1, failures=1)

  * apply the patch;
  * run tox -e cover -- oslo_policy.tests.test_1880959.EnforcerTest
  * observe that the failure is no longer there.

  [Regression Potential]
  The regression potential is low given that there is test coverage in the olso.policy unit tests.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1880959/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list