[Bug 1880959] Re: Rules from the policy directory files are not reapplied after changes to the primary policy file
Dmitrii Shcherbakov
1880959 at bugs.launchpad.net
Wed May 27 14:10:49 UTC 2020
** Also affects: oslo.policy
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to python-oslo.policy in Ubuntu.
https://bugs.launchpad.net/bugs/1880959
Title:
Rules from the policy directory files are not reapplied after changes
to the primary policy file
Status in oslo.policy:
In Progress
Status in python-oslo.policy package in Ubuntu:
New
Bug description:
Based on the investigation here https://bugs.launchpad.net/charm-
keystone/+bug/1880847 it was determined that rules from policy files
located in the directory specified in the policy_dirs option
(/etc/<config_dir>/policy.d by default) are not re-applied after the
rules from the primary policy file is re-applied due to a change.
This leads to scenarios where incorrect rule combinations are active.
Example from the test case in 1880847:
* policy.json gets read with the following rule;
"identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
* rule.yaml from policy.d is read with the following rule;
{'identity:list_credentials': '!'}
* policy.json's mtime gets updated (with or without a content change) and overrides the rule to be
"identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
* rule.yaml doesn't get reapplied since it hasn't changed.
To manage notifications about this bug go to:
https://bugs.launchpad.net/oslo.policy/+bug/1880959/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list