Public bug reported: When investigating the status of policy updates in an Ussuri cloud as relates to the Consistent and Secure Default Policies project, I found that the nova_policy.json file does not match the contents of the nova policy defaults generated by the oslo policy generator.
This ultimately results in requests made in horizon being allowed when the CLI/API policy would not allow the same actions for new "reader" role. To reproduce, compare the differences of the output of the following command to the packaged nova_policy.json. oslopolicy-policy-generator --namespace nova https://opendev.org/openstack/horizon/src/branch/stable/ussuri/openstack_dashboard/conf/nova_policy.json References: https://wiki.openstack.org/wiki/Consistent_and_Secure_Default_Policies_Popup_Team It appears it wasn't until the Wallaby release that Openstack dashboard refreshed the default policies to match the referenced projects when the policy configs changed from json to yaml. ** Affects: horizon Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/1955674 Title: openstack dashboard conf policies don't match service default policies Status in OpenStack Dashboard (Horizon): New Bug description: When investigating the status of policy updates in an Ussuri cloud as relates to the Consistent and Secure Default Policies project, I found that the nova_policy.json file does not match the contents of the nova policy defaults generated by the oslo policy generator. This ultimately results in requests made in horizon being allowed when the CLI/API policy would not allow the same actions for new "reader" role. To reproduce, compare the differences of the output of the following command to the packaged nova_policy.json. oslopolicy-policy-generator --namespace nova https://opendev.org/openstack/horizon/src/branch/stable/ussuri/openstack_dashboard/conf/nova_policy.json References: https://wiki.openstack.org/wiki/Consistent_and_Secure_Default_Policies_Popup_Team It appears it wasn't until the Wallaby release that Openstack dashboard refreshed the default policies to match the referenced projects when the policy configs changed from json to yaml. To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1955674/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
