From de243e7a72097246a1c9be9072a4322df38927b2 Mon Sep 17 00:00:00 2001 From: Ghanshyam Mann Date: Wed, 3 Feb 2021 11:01:18 -0600 Subject: Work on copy of registered rule instead of original object When service register their policy rule oslo policy does not copy the rule and instead work on the original object. - https://github.com/openstack/oslo.policy/blob/bd9d47aa36ad6f2f4746f09a267d7ce809a820f4/oslo_policy/policy.py#L1104 policy enforcer modify the default rules in _handle_deprecated_rule(). - https://github.com/openstack/oslo.policy/blob/bd9d47aa36ad6f2f4746f09a267d7ce809a820f4/oslo_policy/policy.py#L767-L774 In any case, oslo policy should make copy of the registered rules. Another thing it fix is setting of flag RuleDefault._deprecated_rule_handled. Flag _deprecated_rule_handled is set to True when _handle_deprecated_rule() is called irrespective of it actually handle the deprecated rule and add it in OR checks. We should set this flag when acutally deprecated rule is handled so that if any condition change like config flag or file rules we correctly handle deprecated rules. Closes-Bug: #1914095 Closes-Bug: #1914592 Story: 2008556 Task: 41687 Change-Id: I154213dabd4d9eef760f0a4c9a852d504638ca8d --- releasenotes/notes/fix-bug-1914095-fa71d81c9639ba94.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 releasenotes/notes/fix-bug-1914095-fa71d81c9639ba94.yaml (limited to 'releasenotes') diff --git a/releasenotes/notes/fix-bug-1914095-fa71d81c9639ba94.yaml b/releasenotes/notes/fix-bug-1914095-fa71d81c9639ba94.yaml new file mode 100644 index 0000000..17f2c6f --- /dev/null +++ b/releasenotes/notes/fix-bug-1914095-fa71d81c9639ba94.yaml @@ -0,0 +1,8 @@ +--- +fixes: + - | + This fixes the Bug# 1914095. Policy engine has bug of modifying the + registered rule original object which caused issue when there are + multiple policy objects are processing rules in parallel. + With this fix. policy engine will make copies of all the registered rules + and process accordingly. -- cgit v1.2.1