Neutron is checking stricter policies than an operator would expect
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Low
|
Elena Ezhova |
Bug Description
I'm trying to set a custom policy.json for Neutron based on new roles I have defined.
In this task, I changed the "default" policy from "rule: admin_or_owner" to "rule:admin_only". After that, a bunch of operations stopped working, including, for instance, a regular user deleting a network or a router of his/her own project. Even with the policy for "delete_network" unchanged -- rule:admin_or_owner --, only the admin could delete a network.
I put a print statement in neutron.
- - -
DEBUG neutron.policy [...] Failed policy check for 'delete_network'
(((rule:
- - -
DEBUG neutron.policy [...] Failed policy check for 'delete_port'
(((((((
pe) and rule:delete_
- - -
DEBUG neutron.policy [...] Failed policy check for 'delete_router'
(rule:delete_router and rule:delete_
- - -
DEBUG neutron.policy [...] Failed policy check for 'update_subnet'
(rule:update_subnet and rule:update_
- in this case, there is no "update_
- - -
These are the tests I've implemented that got broken after changing the default rule. The update tests simply try to rename the resource.
test_delete_
test_delete_
test_add_
test_delete_
test_remove_
test_update_
test_update_
* these tests got broken because of this bug: https:/
Changed in neutron: | |
assignee: | nobody → Elena Ezhova (eezhova) |
status: | Incomplete → In Progress |
Changed in neutron: | |
importance: | Undecided → Low |
milestone: | none → juno-rc1 |
Changed in neutron: | |
status: | Fix Committed → Fix Released |
Changed in neutron: | |
milestone: | juno-rc1 → 2014.2 |
Can you post the changes you've done to policy.json?