Fix listing metrics as non-admin without creator policy defined #1440
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Callum027
force-pushed
the
fix-list-metric-nonadmin
branch
from
0253e2a to
21a8d4c
Compare
When using a minimal RBAC policy that only allows either access either to a cloud admin or a user that is part of the project a metric's resource is owned by, e.g. ```yaml "list metric": "role:admin or project_id:%(resource.project_id)s" ``` There is an issue where `KeystoneAuthHelper.get_metric_policy_filter` will reject access to the metrics because from its perspective there are no applicable policies that the user has permission under. This patch fixes that by adding an option to `get_metric_policy_filter` that allows an empty policy filter to be returned if an enforcement check for `resource.project_id` passes. This option is set to `False` by default, and only enabled where necessary. This allows the caller to use `KeystoneAuthHelper.get_resource_policy_filter` to add project filters to the metric query based on the resource the metric is associated with.
Callum027
force-pushed
the
fix-list-metric-nonadmin
branch
from
21a8d4c to
7874f9e
Compare
rafaelweingartner
approved these changes
Feb 11, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When using a minimal RBAC policy that only allows either access either to a cloud admin or a user that is part of the project a metric's resource is owned by, e.g.
There is an issue where
KeystoneAuthHelper.get_metric_policy_filterwill reject access to the metrics because from its perspective there are no applicable policies that the user has permission under.This patch fixes that by adding an option to
get_metric_policy_filterthat allows an empty policy filter to be returned if an enforcement check forresource.project_idpasses. This option is set toFalseby default, and only enabled where necessary.This allows the caller to use
KeystoneAuthHelper.get_resource_policy_filterto add project filters to the metric query based on the resource the metric is associated with.