The rule default does not work for ceilometer. I tried with few of these and they don't work. I am able to proceed with the REST apis that are not mentioned even when the default is set to not_allowed.
"default": "not_allowed:True",
"default": "!",
The problem appears to be here >>/usr/lib/python2.7/site-packages/ceilometer/api/rbac.py
for rule_name in _ENFORCER.rules.keys():
if rule_method == rule_name:
if not _ENFORCER.enforce(
rule_name,
{},
policy_dict):
pecan.core.abort(status_code=403,
detail='RBAC Authorization Failed')
The rbac.enforce method loops through all the rules and filters the one that matches the one requested for. However , in a case where the rule has not been specified in the policy.json file , there is no logic in the above to fall back on the default value. The default logic is already taken case of by oslo_policy and the above loop seems to be causing the problem.
patch submitted for review >> https:/ /review. openstack. org/#/c/ 167370/