[RFE] Policy values should be as flexible as they look
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Confirmed
|
Wishlist
|
Unassigned |
Bug Description
I have a (slightly imaginary) deployment in which I want to allow some service user to get information about networks belonging to other projects, but I don't want this user to be the admin of the entire Neutron.
To satisfy that requirement, I took a look in policy.json and found the following default entry:
"get_network": "rule:admin_
First I tried the following redefinition, with no success:
"get_network": "rule:admin_
I also tried the following redefinitions in the policy file, but with no effect:
"external": "field:
"get_network": "rule:some_
Redefining these policies as below did thankfully have the correct effect:
"context_is_admin": "role:admin or user_name:neutron or rule:some_new_rule"
"context_
So from all these observations it turns out that, at least from my experience, this policy file entry is not interpreted in a totally meaningful way.
To summarize:
- It seems like the list of the four checks for "get_network" ('admin or owner', 'external', 'shared', and 'advsvc') are essentially hard-coded and that this list of checks cannot be expanded by policy file.
- The definitions of the 'external' and 'shared' checks cannot be redefined by policy file entries -- they are also essentially hardcoded
- The definitions of the 'advsvc' and 'admin' checks can be successfully redefined by policy file -- because they are not hardcoded, see [0], [1]
For my own use case mentioned at the beginning of the bug report, the 'advsvc' policy feature basically accomplishes what I want. (I can redefine the 'advsvc' rule to be reflective of my own custom roles.) Very interestingly, when I remove the 'advsvc' statements from the port policy definitions, those changes are actually respected.
[0] https:/
[1] https:/
description: | updated |
summary: |
- [RFE] Some policy values are not actually respected + [RFE] Policy values should be as flexible as they look |
I'd suggest to check out how Octavia+Neutron work and the respective policy.json configurations are, because if I understand your use case correctly, it should be quite similar to it. That's what rule:context_ is_advsvc was built for. I can do some digging as there might be something missing in your policy.json.
Point taken that the handling of policy.json is a bit obscure, but that's one of those neutron things that have been hardly touched in ages and even though it's been extensively covered by unit testing, there may be a remote chance things might have been regressed.