yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1676674] [NEW] Policy.json is not exhaustive, missing many policy actions

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Felipe Monteiro <1676674@xxxxxxxxxxxxxxxxxx>
Date: Tue, 28 Mar 2017 00:35:32 -0000
Reply-to: Bug 1676674 <1676674@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Related bug: https://bugs.launchpad.net/neutron/+bug/1610038

Currently, Neutron's policy.json does not exhaustively list all the
policy actions within Neutron.

This has some downsides:
  1) It makes it harder to override these policy actions (because an operator will have a much harder time coming across it)
  2) It is inconsistent: if the intention is to have policy actions like create_security_group default to the default rule, then why include rules like "create_subnetpool": "" in the policy.json?
  3) The policy.json should be a "golden copy" of all the policy actions enforced by the system.
  4) It makes it harder to RBAC test Cinder (because it is very difficult to determine which policy actions are valid and which are not).

The current policy actions that I have identified that are enforced by the system but not contained in the policy.json are as follows:
  - create_security_group 
  - delete_security_group 
  - delete_security_group_rule 
  - get_security_group_rules 
  - get_security_groups 
  - get_security_group_rule 
  - get_security_group 
  - update_security_group 
  - update_router
  - update_router:external_gateway_info
  - update_router:external_gateway_info:network_id

** Affects: neutron
     Importance: Undecided
     Assignee: Felipe Monteiro (fm577c)
         Status: New

** Changed in: neutron
     Assignee: (unassigned) => Felipe Monteiro (fm577c)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1676674

Title:
  Policy.json is not exhaustive, missing many policy actions

Status in neutron:
  New

Bug description:
  Related bug: https://bugs.launchpad.net/neutron/+bug/1610038

  Currently, Neutron's policy.json does not exhaustively list all the
  policy actions within Neutron.

  This has some downsides:
    1) It makes it harder to override these policy actions (because an operator will have a much harder time coming across it)
    2) It is inconsistent: if the intention is to have policy actions like create_security_group default to the default rule, then why include rules like "create_subnetpool": "" in the policy.json?
    3) The policy.json should be a "golden copy" of all the policy actions enforced by the system.
    4) It makes it harder to RBAC test Cinder (because it is very difficult to determine which policy actions are valid and which are not).

  The current policy actions that I have identified that are enforced by the system but not contained in the policy.json are as follows:
    - create_security_group 
    - delete_security_group 
    - delete_security_group_rule 
    - get_security_group_rules 
    - get_security_groups 
    - get_security_group_rule 
    - get_security_group 
    - update_security_group 
    - update_router
    - update_router:external_gateway_info
    - update_router:external_gateway_info:network_id

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1676674/+subscriptions

Follow ups

[Bug 1676674] Re: Policy.json is not exhaustive, missing many policy actions
From: OpenStack Infra, 2017-04-17