Adding and removing router interface uses a policy rule different from what there is the sample policy.json

But these rules are actually listed in the sample policy.json
https://github.com/openstack/neutron/blob/master/etc/policy.json#L111

Could you please update the description so that it would be clear what policy file do you use (whether it is the default policy.json), which actions do you perform and what the expected/actual result is?

I used the same policy.json as the sample [0]. There you will find:

    "update_router:add_router_interface": "rule:admin_or_owner",
    "update_router:remove_router_interface": "rule:admin_or_owner",

But those rules are not checked when you try to add or remove an interface from a router with something like this:

    def add_router_interface(self, router_id, subnet_id):
        body = {
            'subnet_id': subnet_id
        }

        return self.client.add_interface_router(router=router_id, body=body)

Instead, I verified that the policies that are being checked are: "add_router_interface" and "remove_router_interface" -- notice that they don't have the "update_router:" prefix -- which are not in the sample policy.json [0].

The bug showed up when I changed the "default" policy from "admin_or_owner" to "admin_only", and tried to add/remove the interface as a member of a project (owner). When the default rule was admin_or_owner, those rules which are not listed in the sample policy.json falled back to the "default" rule and things went ok, but when it was "admin_only", the fallback did not allow the owner to update his/her router.

[0] https://github.com/openstack/neutron/blob/master/etc/policy.json

Ahh, now I see, what you mean, thanks. But in this case the comment I left to https://bugs.launchpad.net/neutron/+bug/1356679 applies here too. It is logical that a regular user cannot apdate an admin_only attribute.

Yes, the part about admin_only is right but it is not what I'm questioning.

I just think that either:
* the sample should be modified with the rules that are actually being checked; or
* the checked rules should be fixed in code to be the same as the ones which are present in the sample.

It seems that the policy rules concerning adding/removing are currently indeed incorrect and "update_router" prefix needs to be removed. I will upload a fix shortly.

Fix proposed to branch: master
Review: https://review.openstack.org/115997

Reviewed: https://review.openstack.org/115997
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=971747f4f23b4d8a3bf315011d0a441d03972860
Submitter: Jenkins
Branch: master

commit 971747f4f23b4d8a3bf315011d0a441d03972860
Author: Elena Ezhova <email address hidden>
Date: Thu Aug 21 18:36:42 2014 +0400

    Fix policy rules for adding and removing router interfaces

    Currently "add_router_interface" and "remove_router_interface"
    policy rules have the "update_router" prefix and thus are never
    enforced. Removing the prefix activates the rules.

    Also moved some rules, so that all router-related rules are
    now grouped together.

    Closes-Bug: 1356678
    Change-Id: Ib6cc45f2c6d0c7ae394274d6196262529b9fd855

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/133621

Change abandoned by Kyle Mestery (<email address hidden>) on branch: stable/icehouse
Review: https://review.openstack.org/133621
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.