← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1356679] [NEW] Neutron is checking stricter policies than an operator would expect

 

Public bug reported:

I'm trying to set a custom policy.json for Neutron based on new roles I
have defined.

In this task, I changed the "default" policy from "rule: admin_or_owner"
to "rule:admin_only". After that, a bunch of operations stopped working,
including, for instance, a regular user deleting a network or a router
of his/her own project. Even with the policy for "delete_network"
unchanged -- rule:admin_or_owner --, only the admin could delete a
network.

I put a print statement in neutron.openstack.common.policy.check method
to investigate what was happening. On the following lines you can
compare the debug message in the logs with the actual content of the
"rule" parameter passed to "check".

- - -

DEBUG neutron.policy [...] Failed policy check for 'delete_network'

(((rule:delete_network and
rule:delete_network:provider:physical_network) and
rule:delete_network:provider:network_type) and
rule:delete_network:provider:segmentation_id)

- - -

DEBUG neutron.policy [...] Failed policy check for 'delete_port'

(((((((rule:delete_port and rule:delete_port:binding:host_id) and rule:delete_port:allowed_address_pairs) and rule:delete_port:binding:vif_details) and rule:delete_port:binding:vif_ty
pe) and rule:delete_port:mac_address) and rule:delete_port:binding:profile) and rule:delete_port:fixed_ips)

- - -

DEBUG neutron.policy [...] Failed policy check for 'delete_router'

(rule:delete_router and rule:delete_router:distributed)

- - -

DEBUG neutron.policy [...] Failed policy check for 'update_subnet'

(rule:update_subnet and rule:update_subnet:shared)

- in this case, there is no "update_subnet:shared" rule, but there is a
"subnets:shared:write" rule (which doesn't seem to be used).

- - -

These are the tests I've implemented that got broken after changing the
default rule. The update tests simply try to rename the resource.

test_delete_network_of_own_project
test_delete_port_own_project
test_add_router_interface_to_router_of_own_project*
test_delete_router_of_own_project
test_remove_router_interface_from_router_of_own_project*
test_update_router_of_own_project
test_update_shared_subnet_of_own_project

* these tests got broken because of this bug:
https://bugs.launchpad.net/neutron/+bug/1356678.

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1356679

Title:
  Neutron is checking stricter policies than an operator would expect

Status in OpenStack Neutron (virtual network service):
  New

Bug description:
  I'm trying to set a custom policy.json for Neutron based on new roles
  I have defined.

  In this task, I changed the "default" policy from "rule:
  admin_or_owner" to "rule:admin_only". After that, a bunch of
  operations stopped working, including, for instance, a regular user
  deleting a network or a router of his/her own project. Even with the
  policy for "delete_network" unchanged -- rule:admin_or_owner --, only
  the admin could delete a network.

  I put a print statement in neutron.openstack.common.policy.check
  method to investigate what was happening. On the following lines you
  can compare the debug message in the logs with the actual content of
  the "rule" parameter passed to "check".

  - - -

  DEBUG neutron.policy [...] Failed policy check for 'delete_network'

  (((rule:delete_network and
  rule:delete_network:provider:physical_network) and
  rule:delete_network:provider:network_type) and
  rule:delete_network:provider:segmentation_id)

  - - -

  DEBUG neutron.policy [...] Failed policy check for 'delete_port'

  (((((((rule:delete_port and rule:delete_port:binding:host_id) and rule:delete_port:allowed_address_pairs) and rule:delete_port:binding:vif_details) and rule:delete_port:binding:vif_ty
  pe) and rule:delete_port:mac_address) and rule:delete_port:binding:profile) and rule:delete_port:fixed_ips)

  - - -

  DEBUG neutron.policy [...] Failed policy check for 'delete_router'

  (rule:delete_router and rule:delete_router:distributed)

  - - -

  DEBUG neutron.policy [...] Failed policy check for 'update_subnet'

  (rule:update_subnet and rule:update_subnet:shared)

  - in this case, there is no "update_subnet:shared" rule, but there is
  a "subnets:shared:write" rule (which doesn't seem to be used).

  - - -

  These are the tests I've implemented that got broken after changing
  the default rule. The update tests simply try to rename the resource.

  test_delete_network_of_own_project
  test_delete_port_own_project
  test_add_router_interface_to_router_of_own_project*
  test_delete_router_of_own_project
  test_remove_router_interface_from_router_of_own_project*
  test_update_router_of_own_project
  test_update_shared_subnet_of_own_project

  * these tests got broken because of this bug:
  https://bugs.launchpad.net/neutron/+bug/1356678.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1356679/+subscriptions


Follow ups

References