yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #19085
[Bug 1356679] [NEW] Neutron is checking stricter policies than an operator would expect
Public bug reported:
I'm trying to set a custom policy.json for Neutron based on new roles I
have defined.
In this task, I changed the "default" policy from "rule: admin_or_owner"
to "rule:admin_only". After that, a bunch of operations stopped working,
including, for instance, a regular user deleting a network or a router
of his/her own project. Even with the policy for "delete_network"
unchanged -- rule:admin_or_owner --, only the admin could delete a
network.
I put a print statement in neutron.openstack.common.policy.check method
to investigate what was happening. On the following lines you can
compare the debug message in the logs with the actual content of the
"rule" parameter passed to "check".
- - -
DEBUG neutron.policy [...] Failed policy check for 'delete_network'
(((rule:delete_network and
rule:delete_network:provider:physical_network) and
rule:delete_network:provider:network_type) and
rule:delete_network:provider:segmentation_id)
- - -
DEBUG neutron.policy [...] Failed policy check for 'delete_port'
(((((((rule:delete_port and rule:delete_port:binding:host_id) and rule:delete_port:allowed_address_pairs) and rule:delete_port:binding:vif_details) and rule:delete_port:binding:vif_ty
pe) and rule:delete_port:mac_address) and rule:delete_port:binding:profile) and rule:delete_port:fixed_ips)
- - -
DEBUG neutron.policy [...] Failed policy check for 'delete_router'
(rule:delete_router and rule:delete_router:distributed)
- - -
DEBUG neutron.policy [...] Failed policy check for 'update_subnet'
(rule:update_subnet and rule:update_subnet:shared)
- in this case, there is no "update_subnet:shared" rule, but there is a
"subnets:shared:write" rule (which doesn't seem to be used).
- - -
These are the tests I've implemented that got broken after changing the
default rule. The update tests simply try to rename the resource.
test_delete_network_of_own_project
test_delete_port_own_project
test_add_router_interface_to_router_of_own_project*
test_delete_router_of_own_project
test_remove_router_interface_from_router_of_own_project*
test_update_router_of_own_project
test_update_shared_subnet_of_own_project
* these tests got broken because of this bug:
https://bugs.launchpad.net/neutron/+bug/1356678.
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1356679
Title:
Neutron is checking stricter policies than an operator would expect
Status in OpenStack Neutron (virtual network service):
New
Bug description:
I'm trying to set a custom policy.json for Neutron based on new roles
I have defined.
In this task, I changed the "default" policy from "rule:
admin_or_owner" to "rule:admin_only". After that, a bunch of
operations stopped working, including, for instance, a regular user
deleting a network or a router of his/her own project. Even with the
policy for "delete_network" unchanged -- rule:admin_or_owner --, only
the admin could delete a network.
I put a print statement in neutron.openstack.common.policy.check
method to investigate what was happening. On the following lines you
can compare the debug message in the logs with the actual content of
the "rule" parameter passed to "check".
- - -
DEBUG neutron.policy [...] Failed policy check for 'delete_network'
(((rule:delete_network and
rule:delete_network:provider:physical_network) and
rule:delete_network:provider:network_type) and
rule:delete_network:provider:segmentation_id)
- - -
DEBUG neutron.policy [...] Failed policy check for 'delete_port'
(((((((rule:delete_port and rule:delete_port:binding:host_id) and rule:delete_port:allowed_address_pairs) and rule:delete_port:binding:vif_details) and rule:delete_port:binding:vif_ty
pe) and rule:delete_port:mac_address) and rule:delete_port:binding:profile) and rule:delete_port:fixed_ips)
- - -
DEBUG neutron.policy [...] Failed policy check for 'delete_router'
(rule:delete_router and rule:delete_router:distributed)
- - -
DEBUG neutron.policy [...] Failed policy check for 'update_subnet'
(rule:update_subnet and rule:update_subnet:shared)
- in this case, there is no "update_subnet:shared" rule, but there is
a "subnets:shared:write" rule (which doesn't seem to be used).
- - -
These are the tests I've implemented that got broken after changing
the default rule. The update tests simply try to rename the resource.
test_delete_network_of_own_project
test_delete_port_own_project
test_add_router_interface_to_router_of_own_project*
test_delete_router_of_own_project
test_remove_router_interface_from_router_of_own_project*
test_update_router_of_own_project
test_update_shared_subnet_of_own_project
* these tests got broken because of this bug:
https://bugs.launchpad.net/neutron/+bug/1356678.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1356679/+subscriptions
Follow ups
References