Unable to override scope checks via policy.json or policy.yaml
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
oslo.policy |
New
|
Undecided
|
Unassigned |
Bug Description
I have a simple, permissive keystone rule in my policy.yaml:
"identity:
That should allow any token to list projects. It does, but I'm also scolded:
> UserWarning: Policy identity:
> ['system'] scope. This behavior may change in the future where
> using the intended scope is required
I see that enforce() starts by loading my custom rule:
to_check = self.rules[rule]
And at the bottom, to_check is passed to _check(). So that's all good.
Before calling _check(), it checks my token scope. But it doesn't check my token against the custom rule to_check, instead it checks it against a different rule, loaded from registered_rules().
So it checks my scope against policy-in-code but then calls _check() against the policy-in-file.
I'm open to the idea that this is somehow good or necessary, but it surprises me! I'm overriding the policy; shouldn't it always use the rule that I gave it? Am I misunderstanding what the scope check is for?
Tested in Queens, but I've verified that the registered_rules() check is also present in the git head of oslo.policy.
description: | updated |