According to my test results, this topic is split into two:
(a) when a user does not have the admin role, I cannot reproduce the issue
(b) when a user has the admin role, the policy check (at least when creating a resource) seems skipped.
(a) is the expected result, but (b) needs further investigation.
The following is the detail.
Regarding (a), I cannot reproduce the issue reported here.
After running DevStack with 'enable_service neutron-trunk', I did the following steps:
1) Edit /etc/neutron/policy.json to have "create_trunk": "rule:admin_only"
2) Restart neutron-api service to ensure the updated policy.json is reloaded. (service devstack@neutron-api restart)
3) Set OS_CLOUD envvar to devstack (which is equivalent to "openrc demo demo")
4) Run "openstack network trunk create --parent-port p1 trunk1"
5) I got the message:
---
rule:create_trunk is disallowed by policy
Neutron server returns request_ids: ['req-df278e9a-f449-4a4e-a16f-e03b063c283c']
---
Regarding (b), when a user has the admin role, it seems a network trunk can be created regardless of policy configuration
1) Edit /etc/neutron/policy.json to have "create_trunk": "!" (or "create_trunk": "role:nothing)
2) Restart neutron-api service to ensure the updated policy.json is reloaded. (service devstack@neutron-api restart)
3) Set OS_CLOUD envvar to devstack-admin (which is equivalent to "openrc admin admin")
4) Run "openstack network trunk create --parent-port p1 trunk1"
5) The trunk was created successfully. <--- This is different from what we expect
According to my test results, this topic is split into two:
(a) when a user does not have the admin role, I cannot reproduce the issue
(b) when a user has the admin role, the policy check (at least when creating a resource) seems skipped.
(a) is the expected result, but (b) needs further investigation.
The following is the detail.
Regarding (a), I cannot reproduce the issue reported here.
After running DevStack with 'enable_service neutron-trunk', I did the following steps: policy. json to have "create_trunk": "rule:admin_only" neutron- api restart) f449-4a4e- a16f-e03b063c28 3c']
1) Edit /etc/neutron/
2) Restart neutron-api service to ensure the updated policy.json is reloaded. (service devstack@
3) Set OS_CLOUD envvar to devstack (which is equivalent to "openrc demo demo")
4) Run "openstack network trunk create --parent-port p1 trunk1"
5) I got the message:
---
rule:create_trunk is disallowed by policy
Neutron server returns request_ids: ['req-df278e9a-
---
Regarding (b), when a user has the admin role, it seems a network trunk can be created regardless of policy configuration policy. json to have "create_trunk": "!" (or "create_trunk": "role:nothing) neutron- api restart)
1) Edit /etc/neutron/
2) Restart neutron-api service to ensure the updated policy.json is reloaded. (service devstack@
3) Set OS_CLOUD envvar to devstack-admin (which is equivalent to "openrc admin admin")
4) Run "openstack network trunk create --parent-port p1 trunk1"
5) The trunk was created successfully. <--- This is different from what we expect