[Bug 1880959] Re: Rules from the policy directory files are not reapplied after changes to the primary policy file

[Dmitrii Shcherbakov]

Corey, I believe the issue got introduced in Liberty and affects all
releases since then:
https://opendev.org/openstack/oslo.policy/commit/b5f07dfe4cd4a5d12c7fecbc3954694d934de642

The check in question is still the same in Ussuri and that code hasn't seen much change:
https://opendev.org/openstack/oslo.policy/src/commit/d4a2c64fad8b0d8d2df6a447c6c9826deaf24593/oslo_policy/policy.py#L581-L585

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to python-oslo.policy in Ubuntu.
https://bugs.launchpad.net/bugs/1880959

Title:
  Rules from the policy directory files are not reapplied after changes
  to the primary policy file

Status in oslo.policy:
  In Progress
Status in python-oslo.policy package in Ubuntu:
  Triaged
Status in python-oslo.policy source package in Groovy:
  Triaged

Bug description:
  Based on the investigation here https://bugs.launchpad.net/charm-
  keystone/+bug/1880847 it was determined that rules from policy files
  located in the directory specified in the policy_dirs option
  (/etc/<config_dir>/policy.d by default) are not re-applied after the
  rules from the primary policy file is re-applied due to a change.

  This leads to scenarios where incorrect rule combinations are active.

  Example from the test case in 1880847:

  * policy.json gets read with the following rule;
      "identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
  * rule.yaml from policy.d is read with the following rule;
  {'identity:list_credentials': '!'}
  * policy.json's mtime gets updated (with or without a content change) and overrides the rule to be
      "identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
  * rule.yaml doesn't get reapplied since it hasn't changed.

To manage notifications about this bug go to:
https://bugs.launchpad.net/oslo.policy/+bug/1880959/+subscriptions