Instead, I verified that the policies that are being checked are: "add_router_interface" and "remove_router_interface" -- notice that they don't have the "update_router:" prefix -- which are not in the sample policy.json [0].
The bug showed up when I changed the "default" policy from "admin_or_owner" to "admin_only", and tried to add/remove the interface as a member of a project (owner). When the default rule was admin_or_owner, those rules which are not listed in the sample policy.json falled back to the "default" rule and things went ok, but when it was "admin_only", the fallback did not allow the owner to update his/her router.
I used the same policy.json as the sample [0]. There you will find:
"update_ router: add_router_ interface" : "rule:admin_ or_owner" , router: remove_ router_ interface" : "rule:admin_ or_owner" ,
"update_
But those rules are not checked when you try to add or remove an interface from a router with something like this:
def add_router_ interface( self, router_id, subnet_id):
'subnet_ id': subnet_id
body = {
}
return self.client. add_interface_ router( router= router_ id, body=body)
Instead, I verified that the policies that are being checked are: "add_router_ interface" and "remove_ router_ interface" -- notice that they don't have the "update_router:" prefix -- which are not in the sample policy.json [0].
The bug showed up when I changed the "default" policy from "admin_or_owner" to "admin_only", and tried to add/remove the interface as a member of a project (owner). When the default rule was admin_or_owner, those rules which are not listed in the sample policy.json falled back to the "default" rule and things went ok, but when it was "admin_only", the fallback did not allow the owner to update his/her router.
[0] https:/ /github. com/openstack/ neutron/ blob/master/ etc/policy. json