| LucasWerkmeister | |
| Jun 4 2025, 12:28 PM |
| F61496651: Screen Shot 2025-06-04 at 15.11.16.png | |
| Jun 4 2025, 1:12 PM |
| F61493724: Screen Shot 2025-06-04 at 14.40.07.png | |
| Jun 4 2025, 12:40 PM |
| F61493663: Screen Shot 2025-06-04 at 14.27.24.png | |
| Jun 4 2025, 12:28 PM |
| F61493642: Screen Shot 2025-06-04 at 14.26.23.png | |
| Jun 4 2025, 12:28 PM |
Example: I (lucaswerkmeister) am currently only a “reader” in the bastion project; under Access > Project Access, I see a big “Grant Member Role” button next to all non-member readers, including myself.
There is also a “Revoke Member Role” button; I have not tried out if it does what it says.
| Subject | Repo | Branch | Lines +/- | |
|---|---|---|---|---|
| Update keystone policy.yaml | operations/puppet | production | +9 -3 |
That UI is governed by:
admin_or_owner: is_admin:True or rule:member_role members:grant_membership: rule:admin_or_owner members:revoke_membership: rule:admin_or_owner members:toggle_member: rule:admin_or_owner
Which looks right to me, but the fact that both the UI and the backend agree that this is allowed means something bad is happening with the policy engine :(
With my non-privileged user, I only see the "Grant Member Role" button for existing users, not the usual add/remove user actions.
Looking at the code, that seems to be guarded behind the members:toggle_projectadmin rule, while the policy definition has members:toggle_member.. is oslo.policy really falling open when a rule is not defined anywhere?
@LucasWerkmeister, thank you for the clear and discreet report. I believe that this is now resolved, can you please confirm on your end?
i created https://phabricator.wikimedia.org/T396016 for followup about the fragility here.
