[Bug 1880959] Re: Rules from the policy directory files are not reapplied after changes to the primary policy file
Corey Bryant
1880959 at bugs.launchpad.net
Thu Jul 23 13:28:05 UTC 2020
@Dmitrii, thanks for the simple test.
Just did a quick run through of testing cloud archive packages on
bionic. All passed the test:
root at b1:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.4 LTS
Release: 18.04
Codename: bionic
root at b1:/usr/lib/python3/dist-packages/oslo_policy# apt policy python3-oslo.policy
python3-oslo.policy:
Installed: 1.38.1-0ubuntu1~cloud1
Candidate: 3.1.0-0ubuntu1.1~cloud0
Version table:
3.1.0-0ubuntu1.1~cloud0 500
500 http://ubuntu-cloud.archive.canonical.com/ubuntu bionic-proposed/ussuri/main amd64 Packages
2.3.2-0ubuntu1~cloud1 500
500 http://ubuntu-cloud.archive.canonical.com/ubuntu bionic-proposed/train/main amd64 Packages
2.1.1-0ubuntu1~cloud1 500
500 http://ubuntu-cloud.archive.canonical.com/ubuntu bionic-proposed/stein/main amd64 Packages
*** 1.38.1-0ubuntu1~cloud1 500
500 http://ubuntu-cloud.archive.canonical.com/ubuntu bionic-proposed/rocky/main amd64 Packages
100 /var/lib/dpkg/status
1.33.1-0ubuntu2 500
500 http://archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages
1.33.1-0ubuntu1 500
500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
root at b1:/usr/lib/python3/dist-packages/oslo_policy# PYTHONPATH=`realpath tests` ; python3 -m unittest tests.test_policy.EnforcerTest.test_load_directory_after_file_update
WARNING [oslo_policy.policy] Policies ['foo'] reference a rule that is not defined.
.
----------------------------------------------------------------------
Ran 1 test in 0.410s
OK
root at b1:/usr/lib/python3/dist-packages/oslo_policy# apt policy python3-oslo.policy
python3-oslo.policy:
Installed: 2.1.1-0ubuntu1~cloud1
Candidate: 3.1.0-0ubuntu1.1~cloud0
Version table:
3.1.0-0ubuntu1.1~cloud0 500
500 http://ubuntu-cloud.archive.canonical.com/ubuntu bionic-proposed/ussuri/main amd64 Packages
2.3.2-0ubuntu1~cloud1 500
500 http://ubuntu-cloud.archive.canonical.com/ubuntu bionic-proposed/train/main amd64 Packages
*** 2.1.1-0ubuntu1~cloud1 500
500 http://ubuntu-cloud.archive.canonical.com/ubuntu bionic-proposed/stein/main amd64 Packages
100 /var/lib/dpkg/status
1.38.1-0ubuntu1~cloud1 500
500 http://ubuntu-cloud.archive.canonical.com/ubuntu bionic-proposed/rocky/main amd64 Packages
1.33.1-0ubuntu2 500
500 http://archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages
1.33.1-0ubuntu1 500
500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
root at b1:/usr/lib/python3/dist-packages/oslo_policy# PYTHONPATH=`realpath tests` ; python3 -m unittest tests.test_policy.EnforcerTest.test_load_directory_after_file_update
WARNING [oslo_policy.policy] Policies ['foo'] reference a rule that is not defined.
.
----------------------------------------------------------------------
Ran 1 test in 0.233s
OK
root at b1:/usr/lib/python3/dist-packages/oslo_policy# apt policy python3-oslo.policy
python3-oslo.policy:
Installed: 2.3.2-0ubuntu1~cloud1
Candidate: 3.1.0-0ubuntu1.1~cloud0
Version table:
3.1.0-0ubuntu1.1~cloud0 500
500 http://ubuntu-cloud.archive.canonical.com/ubuntu bionic-proposed/ussuri/main amd64 Packages
*** 2.3.2-0ubuntu1~cloud1 500
500 http://ubuntu-cloud.archive.canonical.com/ubuntu bionic-proposed/train/main amd64 Packages
100 /var/lib/dpkg/status
2.1.1-0ubuntu1~cloud1 500
500 http://ubuntu-cloud.archive.canonical.com/ubuntu bionic-proposed/stein/main amd64 Packages
1.38.1-0ubuntu1~cloud1 500
500 http://ubuntu-cloud.archive.canonical.com/ubuntu bionic-proposed/rocky/main amd64 Packages
1.33.1-0ubuntu2 500
500 http://archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages
1.33.1-0ubuntu1 500
500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
root at b1:/usr/lib/python3/dist-packages/oslo_policy# PYTHONPATH=`realpath tests` ; python3 -m unittest tests.test_policy.EnforcerTest.test_load_directory_after_file_update
WARNING [oslo_policy.policy] Policies ['foo'] reference a rule that is not defined.
.
----------------------------------------------------------------------
Ran 1 test in 0.194s
OK
root at b1:/usr/lib/python3/dist-packages/oslo_policy# apt policy python3-oslo.policy
python3-oslo.policy:
Installed: 3.1.0-0ubuntu1.1~cloud0
Candidate: 3.1.0-0ubuntu1.1~cloud0
Version table:
*** 3.1.0-0ubuntu1.1~cloud0 500
500 http://ubuntu-cloud.archive.canonical.com/ubuntu bionic-proposed/ussuri/main amd64 Packages
100 /var/lib/dpkg/status
2.3.2-0ubuntu1~cloud1 500
500 http://ubuntu-cloud.archive.canonical.com/ubuntu bionic-proposed/train/main amd64 Packages
2.1.1-0ubuntu1~cloud1 500
500 http://ubuntu-cloud.archive.canonical.com/ubuntu bionic-proposed/stein/main amd64 Packages
1.38.1-0ubuntu1~cloud1 500
500 http://ubuntu-cloud.archive.canonical.com/ubuntu bionic-proposed/rocky/main amd64 Packages
1.33.1-0ubuntu2 500
500 http://archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages
1.33.1-0ubuntu1 500
500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
root at b1:/usr/lib/python3/dist-packages/oslo_policy# PYTHONPATH=`realpath tests` ; python3 -m unittest tests.test_policy.EnforcerTest.test_load_directory_after_file_update
WARNING [oslo_policy.policy] Policies ['foo'] reference a rule that is not defined.
.
----------------------------------------------------------------------
Ran 1 test in 0.155s
OK
** Tags removed: verification-rocky-needed
** Tags added: verification-rocky-done
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1880959
Title:
Rules from the policy directory files are not reapplied after changes
to the primary policy file
Status in Ubuntu Cloud Archive:
Fix Released
Status in Ubuntu Cloud Archive mitaka series:
Won't Fix
Status in Ubuntu Cloud Archive queens series:
Triaged
Status in Ubuntu Cloud Archive rocky series:
Fix Released
Status in Ubuntu Cloud Archive stein series:
Fix Released
Status in Ubuntu Cloud Archive train series:
Fix Released
Status in Ubuntu Cloud Archive ussuri series:
Fix Released
Status in oslo.policy:
Fix Released
Status in python-oslo.policy package in Ubuntu:
Fix Released
Status in python-oslo.policy source package in Xenial:
Won't Fix
Status in python-oslo.policy source package in Bionic:
Triaged
Status in python-oslo.policy source package in Eoan:
Won't Fix
Status in python-oslo.policy source package in Focal:
Fix Released
Status in python-oslo.policy source package in Groovy:
Fix Released
Bug description:
[Impact]
Based on the investigation here https://bugs.launchpad.net/charm-keystone/+bug/1880847 it was determined that rules from policy files located in the directory specified in the policy_dirs option (/etc/<config_dir>/policy.d by default) are not re-applied after the rules from the primary policy file is re-applied due to a change.
This leads to scenarios where incorrect rule combinations are active.
Example from the test case in 1880847:
* policy.json gets read with the following rule;
"identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
* rule.yaml from policy.d is read with the following rule;
{'identity:list_credentials': '!'}
* policy.json's mtime gets updated (with or without a content change) and overrides the rule to be
"identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
* rule.yaml doesn't get reapplied since it hasn't changed.
[Test Case]
== ubuntu ==
The patches include unit tests that ensure the code is behaving as
expected and has not regressed. These tests are run during every
package build.
== upstream ==
For a particular version of oslo.policy:
* put the attached test (https://bugs.launchpad.net/ubuntu/+source
/python-
oslo.policy/+bug/1880959/+attachment/5377753/+files/test_1880959.py)
under oslo_policy/tests/test_1880959.py;
* run tox -e cover -- oslo_policy.tests.test_1880959.EnforcerTest;
* observe the failure;
# ...
testtools.matchers._impl.MismatchError: 'role:fakeA' != 'rule:admin'
Ran 1 tests in 0.005s (+0.001s)
FAILED (id=1, failures=1)
* apply the patch;
* run tox -e cover -- oslo_policy.tests.test_1880959.EnforcerTest
* observe that the failure is no longer there.
[Regression Potential]
The regression potential is low given that there is test coverage in the olso.policy unit tests.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1880959/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list