Neutron in theory should support HttpCheck as a policy element:
https://github.com/openstack/neutron/blob/master/neutron/openstack/common/policy.py#L747
So I ran a little http server on localhost and added this line to the policy.json file:
"create_network": "http://127.0.0.1:8080/ or rule:default",
It turns out the http post never made it to the http server.
Here, the code is trying to populate a json string with variable target:
https://github.com/openstack/neutron/blob/master/neutron/openstack/common/policy.py#L757
And in execution, we have:
2013-10-01 14:22:32.092 ERROR neutron.openstack.common.policy [-] target={'router:external': <object object at 0x7fc3ae693170>, u'name': u'net1', 'provider:physical_network': <object object at 0x7fc3ae693170>, u'admin_state_up': True, 'tenant_id': u'881d9a4a7c4a486b94fae690e6d613fb', 'provider:network_type': <object object at 0x7fc3ae693170>, 'shared': False, 'provider:segmentation_id': <object object at 0x7fc3ae693170>}
creds={'user_id': u'0495af214c2c4bdd99fadb7a7c69630e', 'roles': [u'admin'], 'tenant_id': u'881d9a4a7c4a486b94fae690e6d613fb', 'is_admin': True, 'timestamp': '2013-10-01 14:22:32.079282', 'project_id': u'881d9a4a7c4a486b94fae690e6d613fb', 'read_deleted': 'no'}
url=http://127.0.0.1:8080/{'router:external': <object object at 0x7fc3ae693170>, u'name': u'net1', 'provider:physical_network': <object object at 0x7fc3ae693170>, u'admin_state_up': True, 'tenant_id': u'881d9a4a7c4a486b94fae690e6d613fb', 'provider:network_type': <object object at 0x7fc3ae693170>, 'shared': False, 'provider:segmentation_id': <object object at 0x7fc3ae693170>}
2013-10-01 14:22:32.092 TRACE neutron.openstack.common.policy Traceback (most recent call last):
2013-10-01 14:22:32.092 TRACE neutron.openstack.common.policy File "/usr/lib/python2.7/dist-packages/routes/middleware.py", line 52, in __call__
2013-10-01 14:22:32.092 TRACE neutron.openstack.common.policy qs = environ['QUERY_STRING']
2013-10-01 14:22:32.092 TRACE neutron.openstack.common.policy KeyError: 'QUERY_STRING'
2013-10-01 14:22:32.092 TRACE neutron.openstack.common.policy
2013-10-01 14:22:32.092 ERROR neutron.api.v2.resource [-] create failed
2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource Traceback (most recent call last):
2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource File "/opt/stack/neutron/neutron/api/v2/resource.py", line 84, in resource
2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource result = method(request=request, **args)
2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource File "/opt/stack/neutron/neutron/api/v2/base.py", line 357, in create
2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource item[self._resource])
2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource File "/opt/stack/neutron/neutron/policy.py", line 379, in enforce
2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource exc=exceptions.PolicyNotAuthorized, action=action)
2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource File "/opt/stack/neutron/neutron/openstack/common/policy.py", line 169, in check
2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource result = rule(target, creds)
2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource File "/opt/stack/neutron/neutron/openstack/common/policy.py", line 732, in __call__
2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource return _rules[self.match](target, creds)
2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource File "/opt/stack/neutron/neutron/openstack/common/policy.py", line 366, in __call__
2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource if rule(target, cred):
2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource File "/opt/stack/neutron/neutron/openstack/common/policy.py", line 758, in __call__
2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource data = {'target': jsonutils.dumps(target),
2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource File "/opt/stack/neutron/neutron/openstack/common/jsonutils.py", line 151, in dumps
2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource return json.dumps(value, default=default, **kwargs)
2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource File "/usr/lib/python2.7/json/__init__.py", line 238, in dumps
2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource **kw).encode(obj)
2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource File "/usr/lib/python2.7/json/encoder.py", line 200, in encode
2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource chunks = self.iterencode(o, _one_shot=True)
2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource File "/usr/lib/python2.7/json/encoder.py", line 263, in iterencode
2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource return _iterencode(o, 0)
2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource ValueError: Circular reference detected
2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource
Basically, the target variable looks like this when converted to string:
{'router:external': <object object at 0x7fc3ae693170>, u'name': u'net1', 'provider:physical_network': <object object at 0x7fc3ae693170>, u'admin_state_up': True, 'tenant_id': u'881d9a4a7c4a486b94fae690e6d613fb', 'provider:network_type': <object object at 0x7fc3ae693170>, 'shared': False, 'provider:segmentation_id': <object object at 0x7fc3ae693170>}
I wonder if we should change the action to the url parameter and post the target as the post body.
I assume you have tested the same policy against other projects and that worked fine.
In which case it might be necessary to refresh oslo policy code in neutron.