Value comparisons are dependent on order
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
oslo.policy |
Triaged
|
Medium
|
Unassigned |
Bug Description
The documentation at https:/
"value1 : value2"
and that values can have various types. No mention is made of ordering, or that value1 or value2 are restricted to a subset of the allowed data types.
However, I have noticed that a rule using a target object attribute as value1 and string as value2 doesn't work. The service using the following policy (Gnocchi on Ocata) is showing the backtrace displayed below.
"services_
The opposite order works successfully though:
"services_
I am seeing this issue with python2-
In addition, changing the order of arguments in oslo_policy.
[Thu Feb 15 09:06:44.803271 2018] [:error] [pid 77563] [remote 10.20.111.244:56] mod_wsgi (pid=77563): Exception occurred processing WSGI script '/var/www/
[Thu Feb 15 09:06:44.803315 2018] [:error] [pid 77563] [remote 10.20.111.244:56] Traceback (most recent call last):
[Thu Feb 15 09:06:44.803335 2018] [:error] [pid 77563] [remote 10.20.111.244:56] File "/usr/lib/
[Thu Feb 15 09:06:44.803363 2018] [:error] [pid 77563] [remote 10.20.111.244:56] resp = self.call_func(req, *args, **self.kwargs)
[Thu Feb 15 09:06:44.803374 2018] [:error] [pid 77563] [remote 10.20.111.244:56] File "/usr/lib/
[Thu Feb 15 09:06:44.803387 2018] [:error] [pid 77563] [remote 10.20.111.244:56] return self.func(req, *args, **kwargs)
[Thu Feb 15 09:06:44.803398 2018] [:error] [pid 77563] [remote 10.20.111.244:56] File "/usr/lib/
[Thu Feb 15 09:06:44.803411 2018] [:error] [pid 77563] [remote 10.20.111.244:56] response = req.get_
[Thu Feb 15 09:06:44.803419 2018] [:error] [pid 77563] [remote 10.20.111.244:56] File "/usr/lib/
[Thu Feb 15 09:06:44.803430 2018] [:error] [pid 77563] [remote 10.20.111.244:56] application, catch_exc_
[Thu Feb 15 09:06:44.803438 2018] [:error] [pid 77563] [remote 10.20.111.244:56] File "/usr/lib/
[Thu Feb 15 09:06:44.803448 2018] [:error] [pid 77563] [remote 10.20.111.244:56] app_iter = application(
[Thu Feb 15 09:06:44.803463 2018] [:error] [pid 77563] [remote 10.20.111.244:56] File "/usr/lib/
[Thu Feb 15 09:06:44.803481 2018] [:error] [pid 77563] [remote 10.20.111.244:56] return app(environ, start_response)
[Thu Feb 15 09:06:44.803492 2018] [:error] [pid 77563] [remote 10.20.111.244:56] File "/usr/lib/
[Thu Feb 15 09:06:44.803542 2018] [:error] [pid 77563] [remote 10.20.111.244:56] resp = self.call_func(req, *args, **self.kwargs)
[Thu Feb 15 09:06:44.803550 2018] [:error] [pid 77563] [remote 10.20.111.244:56] File "/usr/lib/
[Thu Feb 15 09:06:44.803561 2018] [:error] [pid 77563] [remote 10.20.111.244:56] return self.func(req, *args, **kwargs)
[Thu Feb 15 09:06:44.803571 2018] [:error] [pid 77563] [remote 10.20.111.244:56] File "/usr/lib/
[Thu Feb 15 09:06:44.803581 2018] [:error] [pid 77563] [remote 10.20.111.244:56] response = req.get_
[Thu Feb 15 09:06:44.803588 2018] [:error] [pid 77563] [remote 10.20.111.244:56] File "/usr/lib/
[Thu Feb 15 09:06:44.803598 2018] [:error] [pid 77563] [remote 10.20.111.244:56] application, catch_exc_
[Thu Feb 15 09:06:44.803620 2018] [:error] [pid 77563] [remote 10.20.111.244:56] File "/usr/lib/
[Thu Feb 15 09:06:44.803633 2018] [:error] [pid 77563] [remote 10.20.111.244:56] app_iter = application(
[Thu Feb 15 09:06:44.803641 2018] [:error] [pid 77563] [remote 10.20.111.244:56] File "/usr/lib/
[Thu Feb 15 09:06:44.803651 2018] [:error] [pid 77563] [remote 10.20.111.244:56] resp = self.call_func(req, *args, **self.kwargs)
[Thu Feb 15 09:06:44.803661 2018] [:error] [pid 77563] [remote 10.20.111.244:56] File "/usr/lib/
[Thu Feb 15 09:06:44.803670 2018] [:error] [pid 77563] [remote 10.20.111.244:56] return self.func(req, *args, **kwargs)
[Thu Feb 15 09:06:44.803677 2018] [:error] [pid 77563] [remote 10.20.111.244:56] File "/usr/lib/
[Thu Feb 15 09:06:44.803689 2018] [:error] [pid 77563] [remote 10.20.111.244:56] response = req.get_
[Thu Feb 15 09:06:44.803697 2018] [:error] [pid 77563] [remote 10.20.111.244:56] File "/usr/lib/
[Thu Feb 15 09:06:44.803706 2018] [:error] [pid 77563] [remote 10.20.111.244:56] application, catch_exc_
[Thu Feb 15 09:06:44.803713 2018] [:error] [pid 77563] [remote 10.20.111.244:56] File "/usr/lib/
[Thu Feb 15 09:06:44.803723 2018] [:error] [pid 77563] [remote 10.20.111.244:56] app_iter = application(
[Thu Feb 15 09:06:44.803730 2018] [:error] [pid 77563] [remote 10.20.111.244:56] File "/usr/lib/
[Thu Feb 15 09:06:44.803741 2018] [:error] [pid 77563] [remote 10.20.111.244:56] return self.applicatio
[Thu Feb 15 09:06:44.803753 2018] [:error] [pid 77563] [remote 10.20.111.244:56] File "/usr/lib/
[Thu Feb 15 09:06:44.803765 2018] [:error] [pid 77563] [remote 10.20.111.244:56] return self.app(environ, start_response)
[Thu Feb 15 09:06:44.803772 2018] [:error] [pid 77563] [remote 10.20.111.244:56] File "/usr/lib/
[Thu Feb 15 09:06:44.803783 2018] [:error] [pid 77563] [remote 10.20.111.244:56] return self.applicatio
[Thu Feb 15 09:06:44.803790 2018] [:error] [pid 77563] [remote 10.20.111.244:56] File "/usr/lib/
[Thu Feb 15 09:06:44.803801 2018] [:error] [pid 77563] [remote 10.20.111.244:56] return super(Pecan, self)._
[Thu Feb 15 09:06:44.803808 2018] [:error] [pid 77563] [remote 10.20.111.244:56] File "/usr/lib/
[Thu Feb 15 09:06:44.803818 2018] [:error] [pid 77563] [remote 10.20.111.244:56] self.invoke_
[Thu Feb 15 09:06:44.803828 2018] [:error] [pid 77563] [remote 10.20.111.244:56] File "/usr/lib/
[Thu Feb 15 09:06:44.803838 2018] [:error] [pid 77563] [remote 10.20.111.244:56] result = controller(*args, **kwargs)
[Thu Feb 15 09:06:44.803848 2018] [:error] [pid 77563] [remote 10.20.111.244:56] File "/usr/lib/
[Thu Feb 15 09:06:44.803859 2018] [:error] [pid 77563] [remote 10.20.111.244:56] self.enforce_
[Thu Feb 15 09:06:44.803866 2018] [:error] [pid 77563] [remote 10.20.111.244:56] File "/usr/lib/
[Thu Feb 15 09:06:44.803883 2018] [:error] [pid 77563] [remote 10.20.111.244:56] enforce(rule, json.to_
[Thu Feb 15 09:06:44.803891 2018] [:error] [pid 77563] [remote 10.20.111.244:56] File "/usr/lib/
[Thu Feb 15 09:06:44.803923 2018] [:error] [pid 77563] [remote 10.20.111.244:56] if not pecan.request.
[Thu Feb 15 09:06:44.803931 2018] [:error] [pid 77563] [remote 10.20.111.244:56] File "/usr/lib/
[Thu Feb 15 09:06:44.803942 2018] [:error] [pid 77563] [remote 10.20.111.244:56] result = self.rules[
[Thu Feb 15 09:06:44.803952 2018] [:error] [pid 77563] [remote 10.20.111.244:56] File "/usr/lib/
[Thu Feb 15 09:06:44.804066 2018] [:error] [pid 77563] [remote 10.20.111.244:56] if rule(target, cred, enforcer):
[Thu Feb 15 09:06:44.804080 2018] [:error] [pid 77563] [remote 10.20.111.244:56] File "/usr/lib/
[Thu Feb 15 09:06:44.804095 2018] [:error] [pid 77563] [remote 10.20.111.244:56] return enforcer.
[Thu Feb 15 09:06:44.804104 2018] [:error] [pid 77563] [remote 10.20.111.244:56] File "/usr/lib/
[Thu Feb 15 09:06:44.804118 2018] [:error] [pid 77563] [remote 10.20.111.244:56] test_value = ast.literal_
[Thu Feb 15 09:06:44.804158 2018] [:error] [pid 77563] [remote 10.20.111.244:56] File "/usr/lib64/
[Thu Feb 15 09:06:44.804270 2018] [:error] [pid 77563] [remote 10.20.111.244:56] node_or_string = parse(node_
[Thu Feb 15 09:06:44.804283 2018] [:error] [pid 77563] [remote 10.20.111.244:56] File "/usr/lib64/
[Thu Feb 15 09:06:44.804297 2018] [:error] [pid 77563] [remote 10.20.111.244:56] return compile(source, filename, mode, PyCF_ONLY_AST)
[Thu Feb 15 09:06:44.804334 2018] [:error] [pid 77563] [remote 10.20.111.244:56] File "<unknown>", line 1
[Thu Feb 15 09:06:44.804341 2018] [:error] [pid 77563] [remote 10.20.111.244:56] %(created_
[Thu Feb 15 09:06:44.804344 2018] [:error] [pid 77563] [remote 10.20.111.244:56] ^
[Thu Feb 15 09:06:44.804347 2018] [:error] [pid 77563] [remote 10.20.111.244:56] SyntaxError: invalid syntax
Changed in oslo.policy: | |
status: | New → Triaged |
importance: | Undecided → Medium |
Do you happen to have a link to the Gnocchi policy that breaks this? Just curious because this is the first time I've seen a policy rule built like that, as opposed to the following syntax:
"'services_ project_ uuid':% (created_ by_project_ id)s"