[Bug 1880959] [NEW] Rules from the policy directory files are not reapplied after changes to the primary policy file

Dmitrii Shcherbakov 1880959 at bugs.launchpad.net
Wed May 27 14:04:57 UTC 2020 

Public bug reported:

Based on the investigation here https://bugs.launchpad.net/charm-
keystone/+bug/1880847 it was determined that rules from policy files
located in the directory specified in the policy_dirs option
(/etc/<config_dir>/policy.d by default) are not re-applied after the
rules from the primary policy file is re-applied due to a change.

This leads to scenarios where incorrect rule combinations are active.

Example from the test case in 1880847:

* policy.json gets read with the following rule;
    "identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
* rule.yaml from policy.d is read with the following rule;
{'identity:list_credentials': '!'}
* policy.json's mtime gets updated (with or without a content change) and overrides the rule to be
    "identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
* rule.yaml doesn't get reapplied since it hasn't changed.

** Affects: python-oslo.policy (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to python-oslo.policy in Ubuntu.
https://bugs.launchpad.net/bugs/1880959

Title:
  Rules from the policy directory files are not reapplied after changes
  to the primary policy file

Status in python-oslo.policy package in Ubuntu:
  New

Bug description:
  Based on the investigation here https://bugs.launchpad.net/charm-
  keystone/+bug/1880847 it was determined that rules from policy files
  located in the directory specified in the policy_dirs option
  (/etc/<config_dir>/policy.d by default) are not re-applied after the
  rules from the primary policy file is re-applied due to a change.

  This leads to scenarios where incorrect rule combinations are active.

  Example from the test case in 1880847:

  * policy.json gets read with the following rule;
      "identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
  * rule.yaml from policy.d is read with the following rule;
  {'identity:list_credentials': '!'}
  * policy.json's mtime gets updated (with or without a content change) and overrides the rule to be
      "identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
  * rule.yaml doesn't get reapplied since it hasn't changed.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-oslo.policy/+bug/1880959/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list