It has been a long time since this bug. Things have changed.
First of all, I agree with @enikanorov in [1]. I don't think it is a good way to just show HTTP 403 to a normal user for the resource that he should not know, like the resource in other tenants.
If user wants to update a resource that he can see but don't have policy_authorized for, neutron should report a HTTP 403. Patch [2] and [3] have fixed this. So, with the latest code, I can see the error "disallowed by policy" when I run "neutron router-gateway-set --disable-snat aaa public"
However, during the investigation, I found that I can run "neutron router-gateway-set aaa public" with default policy file. So I will submit a minor patch to address the default policy problem.
It has been a long time since this bug. Things have changed.
First of all, I agree with @enikanorov in [1]. I don't think it is a good way to just show HTTP 403 to a normal user for the resource that he should not know, like the resource in other tenants.
If user wants to update a resource that he can see but don't have policy_authorized for, neutron should report a HTTP 403. Patch [2] and [3] have fixed this. So, with the latest code, I can see the error "disallowed by policy" when I run "neutron router-gateway-set --disable-snat aaa public"
However, during the investigation, I found that I can run "neutron router-gateway-set aaa public" with default policy file. So I will submit a minor patch to address the default policy problem.
[1] https:/ /review. openstack. org/#/c/ 85682/ /review. openstack. org/#/c/ 123673/ /review. openstack. org/#/c/ 112150/
[2] https:/
[3] https:/