yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1676674] Re: Policy.json is not exhaustive, missing many policy actions

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1676674@xxxxxxxxxxxxxxxxxx>
Date: Mon, 17 Apr 2017 05:17:29 -0000
Reply-to: Bug 1676674 <1676674@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/455423
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=8fad40bd2f945a9c7e9dd446bc5ba0c112730c04
Submitter: Jenkins
Branch:    master

commit 8fad40bd2f945a9c7e9dd446bc5ba0c112730c04
Author: Felipe Monteiro <felipe.monteiro@xxxxxxx>
Date:   Mon Apr 10 19:45:23 2017 +0100

    Adding missing neutron policies to policy.json
    
    Currently, Neutron's policy.json does not exhaustively
    list all the policy actions within Neutron.
    
    This has some downsides:
      1) It makes it harder to override these policy actions
      2) It is inconsistent
      3) The policy.json should be a "golden copy" of all the
         policy actions enforced by the system.
      4) It makes it harder to RBAC test Neutron
         (because it is very difficult to determine which
          policy actions are valid and which are not).
    
    The current policy actions that are enforced by the system
    but not contained in the policy.json are as follows:
      - create_security_group
      - delete_security_group
      - delete_security_group_rule
      - get_security_group_rules
      - get_security_groups
      - get_security_group_rule
      - get_security_group
      - update_security_group
      - update_router
      - update_router:external_gateway_info
      - update_router:external_gateway_info:network_id
    
    Closes-Bug: #1676674
    Change-Id: I4625c8f55bfa46b1a2209642e425677a47455219


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1676674

Title:
  Policy.json is not exhaustive, missing many policy actions

Status in neutron:
  Fix Released

Bug description:
  Related bug: https://bugs.launchpad.net/neutron/+bug/1610038

  Currently, Neutron's policy.json does not exhaustively list all the
  policy actions within Neutron.

  This has some downsides:
    1) It makes it harder to override these policy actions (because an operator will have a much harder time coming across it)
    2) It is inconsistent: if the intention is to have policy actions like create_security_group default to the default rule, then why include rules like "create_subnetpool": "" in the policy.json?
    3) The policy.json should be a "golden copy" of all the policy actions enforced by the system.
    4) It makes it harder to RBAC test Neutron (because it is very difficult to determine which policy actions are valid and which are not).

  The current policy actions that I have identified that are enforced by the system but not contained in the policy.json are as follows:
    - create_security_group
    - delete_security_group
    - delete_security_group_rule
    - get_security_group_rules
    - get_security_groups
    - get_security_group_rule
    - get_security_group
    - update_security_group
    - update_router
    - update_router:external_gateway_info
    - update_router:external_gateway_info:network_id

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1676674/+subscriptions

References

[Bug 1676674] [NEW] Policy.json is not exhaustive, missing many policy actions
From: Felipe Monteiro, 2017-03-28