neutron

Neutron custom policy.json no longer working after Icehouse upgrade

Bug #1331443 reported by Robert van Leeuwen on 2014-06-18

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Invalid	Medium	Salvatore Orlando

Bug Description

We have some custom policy rules implemented to have a shared network that only people member of a specific group could see.

Basically a few rules like this:

"shared": "field:networks:shared=True and not field:networks:name=mil",
"mil": "field:networks:name=mil and role:network_mil",
"subnets:mil:read": "rule:regular_user",
"subnets:mil:write": "rule:admin_only",
"get_subnet": "rule:admin_or_owner or rule:shared or rule:mil or rule:pub",
"get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:mil or rule:pub",
"create_network:mil": "rule:admin_only",

This no longer seem to work after a havana -> icehouse upgrade.
Everyone sees these networks now.

Tags:

Eugene Nikanorov (enikanorov) on 2014-06-20

tags:

added: policy

Revision history for this message

Salvatore Orlando (salvatore-orlando) wrote on 2014-06-23:

I'm going to triage this bug.
To be more precise, what's the issue observed here?

When you say everyone sees this networks, do you mean "mil" networks or the networks which should be shown as because of "rule:pub"?
Please note that in your snippet you did not put what rule:pub is.

Changed in neutron:
importance:	Undecided → Medium
assignee:	nobody → Salvatore Orlando (salvatore-orlando)

Revision history for this message

Robert van Leeuwen (rovanleeuwen) wrote on 2014-06-23:

The "mil" is a shared network but we only want people to see them when the are member of the role network_mil:
By default everyone sees ALL shared networks.

To prevent everyone to see all networks changed this:
"shared": "field:networks:shared=True",
To this:
"shared": "field:networks:shared=True and not field:networks:name=mil",

This used to work but no longer in Icehouse.

(The other lines in the example are just there to make it visible for users who are member of the group "network_mil")

Revision history for this message

Robert van Leeuwen (rovanleeuwen) wrote on 2014-07-03:

Never mind
This issue was caused by a improper setting of the auth_strategy in the neutron.conf.

Changed in neutron:
status:	New → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.