Comment 2 for bug 1749727

Hi Lance,

This is a policy file that I modified myself. Compared to the default Gnocchi policy, I added the "services_project" rule, and modified the "get resource", "get metric", and "get measures" rules to use the new rule. The intent was to make resource, metrics, and measures created by a specific project readable by every OpenStack user.

The following policy works:

    "services_project": "'d41d8cd98f00b204e9800998ecf8427e':%(created_by_project_id)s",
    "get resource": "rule:admin_or_creator or rule:resource_owner or rule:services_project",
    "get metric": "rule:admin_or_creator or rule:metric_owner or rule:services_project",
    "get measures": "rule:admin_or_creator or rule:metric_owner or rule:services_project",

I first tried to write the "services_project" rule in the opposite order, which doesn't work:

    "services_project": "%(created_by_project_id)s:'d41d8cd98f00b204e9800998ecf8427e'",

I first tried it this way because intuitively it felt like the right order: I write my code as `if x == some_value`, rather than `if some_value == x`.

Anyway, the documentation doesn't say anything about order being important. Do you know if this is a gap in the documentation or a bug in oslo.policy?