This is a policy file that I modified myself. Compared to the default Gnocchi policy, I added the "services_project" rule, and modified the "get resource", "get metric", and "get measures" rules to use the new rule. The intent was to make resource, metrics, and measures created by a specific project readable by every OpenStack user.
The following policy works:
"services_project": "'d41d8cd98f00b204e9800998ecf8427e':%(created_by_project_id)s",
"get resource": "rule:admin_or_creator or rule:resource_owner or rule:services_project",
"get metric": "rule:admin_or_creator or rule:metric_owner or rule:services_project",
"get measures": "rule:admin_or_creator or rule:metric_owner or rule:services_project",
I first tried to write the "services_project" rule in the opposite order, which doesn't work:
Hi Lance,
This is a policy file that I modified myself. Compared to the default Gnocchi policy, I added the "services_project" rule, and modified the "get resource", "get metric", and "get measures" rules to use the new rule. The intent was to make resource, metrics, and measures created by a specific project readable by every OpenStack user.
The following policy works:
"services_ project" : "'d41d8cd98f00b 204e9800998ecf8 427e':% (created_ by_project_ id)s", or_creator or rule:resource_owner or rule:services_ project" , or_creator or rule:metric_owner or rule:services_ project" , or_creator or rule:metric_owner or rule:services_ project" ,
"get resource": "rule:admin_
"get metric": "rule:admin_
"get measures": "rule:admin_
I first tried to write the "services_project" rule in the opposite order, which doesn't work:
"services_ project" : "%(created_ by_project_ id)s:'d41d8cd98 f00b204e9800998 ecf8427e' ",
I first tried it this way because intuitively it felt like the right order: I write my code as `if x == some_value`, rather than `if some_value == x`.
Anyway, the documentation doesn't say anything about order being important. Do you know if this is a gap in the documentation or a bug in oslo.policy?