[Yahoo-eng-team] [Bug 1739108] Re: api.keystone.is_cloud_admin/is_domain_admin do not work with the latest policy from keystone repo

Fri, 19 Jan 2018 23:30:59 -0800 

Reviewed:  https://review.openstack.org/530488
Committed: 
https://git.openstack.org/cgit/openstack/horizon/commit/?id=54365d7ef1007b3c8373ecb4e591c7f899dbeb98
Submitter: Zuul
Branch:    master

commit 54365d7ef1007b3c8373ecb4e591c7f899dbeb98
Author: Radomir Dopieralski <[email protected]>
Date:   Fri Dec 29 18:33:20 2017 +0100

    Fix api.keystone.is_cloud_admin/is_domain_admin handling with new policies
    
    Allow an action if no policy exists for it and there is no default
    policy.
    
    Change-Id: Ief6dc5ff15a83c70ee171774d1bfc6470c0863d1
    Closes-bug: 1739108


** Changed in: horizon
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1739108

Title:
  api.keystone.is_cloud_admin/is_domain_admin do not work with the
  latest policy from keystone repo

Status in OpenStack Dashboard (Horizon):
  Fix Released

Bug description:
  openstack_dashboard.api.keystone.is_cloud_admin and is_domain_admin do
  not work with the policy files generated from the latest master branch
  (queens) of the keystone repository (For example, keystone commit
  cfbc2aa30b7406b4bc77e40a55561d1f46174b5c).

  During the policy-in-code work, keystone drops "default" policy (which
  was "rule:admin_required").

  is_cloud_admin() and is_domain_admin() refer to "cloud_admin" and 
"admin_and_matching_domain_id" policies respectively. They are not defined in 
the default keystone policy. 
  Previously a policy check fallbacks to "default" rule (i.e., 
"admin_required") and as a result both Is_cloud_admin() and is_domain_admin() 
checks "admin_required".

  Now the keystone default policy has no "default" rule. As a result
  is_cloud_admin() and is_doman_admin() always returns False. This means
  some admin-ness panels do not work.

  IIUC, the horizon policy framework intend to work with the default policies 
from back-end services.
  The current situation should be fixed until Queens release.

  [1]
  
https://github.com/openstack/horizon/blob/0f598182919df31e40c7630ee1bd42bea259310d/openstack_dashboard/api/keystone.py#L325-L331

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1739108/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to