[Bug 1880959] Re: Rules from the policy directory files are not reapplied after changes to the primary policy file

Dmitrii Shcherbakov 1880959 at bugs.launchpad.net
Wed Jul 29 13:02:22 UTC 2020 

xenial + proposed Queens cloud archive (doesn't look like the changes
are there):

lxc launch ubuntu:xenial oslop-xq 
Creating oslop-xq
Starting oslop-xq


lxc exec oslop-bq bash

root at oslop-xq:~# lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 16.04.6 LTS
Release:	16.04
Codename:	xenial


root at oslop-xq:~# apt update
root at oslop-xq:~# apt install ubuntu-cloud-keyring

root at oslop-xq:~# sudo add-apt-repository cloud-archive:queens-proposed

root at oslop-xq:~# cat /etc/apt/sources.list.d/cloudarchive-queens-proposed.list
deb http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-proposed/queens main
# deb-src http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-proposed/queens main

root at oslop-xq:~# apt update && apt install python3-oslo.policy python3-oslotest
...
Setting up python3-oslo.config (1:5.2.0-0ubuntu1~cloud0) ...
update-alternatives: using /usr/bin/python3-oslo-config-generator to provide /usr/bin/oslo-config-generator (oslo-config-generator) in auto mode
Setting up python3-oslo.policy (1.33.1-0ubuntu2~cloud0) ...
update-alternatives: using /usr/bin/python3-oslopolicy-sample-generator to provide /usr/bin/oslopolicy-sample-generator (oslopolicy-sample-generator) in auto mode
update-alternatives: using /usr/bin/python3-oslopolicy-checker to provide /usr/bin/oslopolicy-checker (oslopolicy-checker) in auto mode
update-alternatives: using /usr/bin/python3-oslopolicy-policy-generator to provide /usr/bin/oslopolicy-policy-generator (oslopolicy-policy-generator) in auto mode
update-alternatives: using /usr/bin/python3-oslopolicy-list-redundant to provide /usr/bin/oslopolicy-list-redundant (oslopolicy-list-redundant) in auto mode

root at oslop-xq:~#  cd /usr/lib/python3/dist-packages/oslo_policy/

root at oslop-xq:/usr/lib/python3/dist-packages/oslo_policy# PYTHONPATH=`realpath tests` ; python3 -m unittest tests.test_policy.EnforcerTest.test_load_directory_after_file_update
E
======================================================================
ERROR: test_load_directory_after_file_update (unittest.loader._FailedTest)
----------------------------------------------------------------------
AttributeError: type object 'EnforcerTest' has no attribute 'test_load_directory_after_file_update'

----------------------------------------------------------------------
Ran 1 test in 0.000s


root at oslop-xq:/usr/lib/python3/dist-packages/oslo_policy# apt install python-oslo.policy python-oslotest

root at oslop-xq:/usr/lib/python3/dist-packages/oslo_policy# cd
/usr/lib/python2.7/dist-packages/oslo_policy/

root at oslop-xq:/usr/lib/python2.7/dist-packages/oslo_policy# PYTHONPATH=`realpath tests` ; python -m unittest tests.test_policy.EnforcerTest.test_load_directory_after_file_update
Traceback (most recent call last):
  File "/usr/lib/python2.7/runpy.py", line 174, in _run_module_as_main
    "__main__", fname, loader, pkg_name)
  File "/usr/lib/python2.7/runpy.py", line 72, in _run_code
    exec code in run_globals
  File "/usr/lib/python2.7/unittest/__main__.py", line 12, in <module>
    main(module=None)
  File "/usr/lib/python2.7/unittest/main.py", line 94, in __init__
    self.parseArgs(argv)
  File "/usr/lib/python2.7/unittest/main.py", line 149, in parseArgs
    self.createTests()
  File "/usr/lib/python2.7/unittest/main.py", line 158, in createTests
    self.module)
  File "/usr/lib/python2.7/unittest/loader.py", line 130, in loadTestsFromNames
    suites = [self.loadTestsFromName(name, module) for name in names]
  File "/usr/lib/python2.7/unittest/loader.py", line 100, in loadTestsFromName
    parent, obj = obj, getattr(obj, part)
AttributeError: type object 'EnforcerTest' has no attribute 'test_load_directory_after_file_update'


root at oslop-xq:/usr/lib/python2.7/dist-packages/oslo_policy# apt policy python3-oslo.policy
python3-oslo.policy:
  Installed: 1.33.1-0ubuntu2~cloud0
  Candidate: 1.33.1-0ubuntu2~cloud0
  Version table:
 *** 1.33.1-0ubuntu2~cloud0 500
        500 http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-proposed/queens/main amd64 Packages
        100 /var/lib/dpkg/status
     1.6.0-2 500
        500 http://archive.ubuntu.com/ubuntu xenial/universe amd64 Packages
root at oslop-xq:/usr/lib/python2.7/dist-packages/oslo_policy# apt policy python-oslo.policy
python-oslo.policy:
  Installed: 1.33.1-0ubuntu2~cloud0
  Candidate: 1.33.1-0ubuntu2~cloud0
  Version table:
 *** 1.33.1-0ubuntu2~cloud0 500
        500 http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-proposed/queens/main amd64 Packages
        100 /var/lib/dpkg/status
     1.6.0-2 500
        500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1880959

Title:
  Rules from the policy directory files are not reapplied after changes
  to the primary policy file

Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive mitaka series:
  Won't Fix
Status in Ubuntu Cloud Archive queens series:
  Fix Committed
Status in Ubuntu Cloud Archive rocky series:
  Fix Released
Status in Ubuntu Cloud Archive stein series:
  Fix Released
Status in Ubuntu Cloud Archive train series:
  Fix Released
Status in Ubuntu Cloud Archive ussuri series:
  Fix Released
Status in oslo.policy:
  Fix Released
Status in python-oslo.policy package in Ubuntu:
  Fix Released
Status in python-oslo.policy source package in Xenial:
  Won't Fix
Status in python-oslo.policy source package in Bionic:
  Fix Committed
Status in python-oslo.policy source package in Eoan:
  Won't Fix
Status in python-oslo.policy source package in Focal:
  Fix Released
Status in python-oslo.policy source package in Groovy:
  Fix Released

Bug description:
  [Impact]
  Based on the investigation here https://bugs.launchpad.net/charm-keystone/+bug/1880847 it was determined that rules from policy files located in the directory specified in the policy_dirs option (/etc/<config_dir>/policy.d by default) are not re-applied after the rules from the primary policy file is re-applied due to a change.

  This leads to scenarios where incorrect rule combinations are active.

  Example from the test case in 1880847:

  * policy.json gets read with the following rule;
      "identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
  * rule.yaml from policy.d is read with the following rule;
  {'identity:list_credentials': '!'}
  * policy.json's mtime gets updated (with or without a content change) and overrides the rule to be
      "identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
  * rule.yaml doesn't get reapplied since it hasn't changed.

  [Test Case]
  == ubuntu ==

  The patches include unit tests that ensure the code is behaving as
  expected and has not regressed. These tests are run during every
  package build.

  == upstream ==
  For a particular version of oslo.policy:

  * put the attached test (https://bugs.launchpad.net/ubuntu/+source
  /python-
  oslo.policy/+bug/1880959/+attachment/5377753/+files/test_1880959.py)
  under oslo_policy/tests/test_1880959.py;

  * run tox -e cover -- oslo_policy.tests.test_1880959.EnforcerTest;
  * observe the failure;
  # ...
  testtools.matchers._impl.MismatchError: 'role:fakeA' != 'rule:admin'
  Ran 1 tests in 0.005s (+0.001s)
  FAILED (id=1, failures=1)

  * apply the patch;
  * run tox -e cover -- oslo_policy.tests.test_1880959.EnforcerTest
  * observe that the failure is no longer there.

  [Regression Potential]
  The regression potential is low given that there is test coverage in the olso.policy unit tests.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1880959/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list