oslo.policy

oslopolicy-checker hardcodes match of project_id

Bug #1795496 reported by Adam Young on 2018-10-01

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	oslo.policy	Confirmed	Medium	Harry Rybacki

Bug Description

One shortcut I made when writing the policy checker was that I ensured the project ID from the token would be used in the target:

    access_data = jsonutils.loads(access)['token']
    access_data['project_id'] = access_data['project']['id']
...
    target = {"project_id": access_data['project_id']}

This implies to a user that the API is actually checking the scope of the target. However, there is no way to pass target data in to the the policy engine.

Thus, there is no way to confirm that it will reject if the target has a different project_id, nor does it allow more complex checks on other attributes from the target data.

Adam Young (ayoung) on 2018-10-01

Changed in oslo.policy:
assignee:	nobody → Harry Rybacki (hrybacki-h)

Ben Nemec (bnemec) on 2018-11-28

Changed in oslo.policy:
status:	New → Confirmed
importance:	Undecided → Medium

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.