yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1757931] [NEW] Some policy values are not actually respected

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jeremy Freudberg <jfreud@xxxxxx>
Date: Thu, 22 Mar 2018 03:49:11 -0000
Reply-to: Bug 1757931 <1757931@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

I have a (slightly imaginary) deployment in which I want to allow some
service user to get information about networks belonging to other
projects, but I don't want this user to be the admin of the entire
Neutron.

To satisfy that requirement, I took a look in policy.json and found the
following default entry:

"get_network": "rule:admin_or_owner or rule:shared or rule:external or
rule:context_is_advsvc"

Naturally I tried to add an additional "or role:some_service_role" in
order to make it so this special service user would have those extra
permissions I desire. Unfortunately this did not work. It turns out
that, at least from my experience, this policy file entry is not
actually interpreted in a meaningful way by Neutron.

To test my theory that the policy values are not respected, I tried
manipulating the following line:

"external": "field:networks:router:external=True"

...just for fun I tried setting external to False, changing the whole
string to "rule:some_other_rule", etc... from all these policy.json
changes nothing actually changed in Neutron's behavior.

Based on the little that I know about how Neutron has its API and
database logic stitched together, I'm assuming that there is some logic
there which does something hardcoded equivalent to "rule:admin_or_owner
or rule:shared or rule:external or rule:context_is_advsvc"... but isn't
actually looking in the policy file to see what the operator might have
overridden.

I wonder if others can reproduce this, and also what the steps forward
would be.

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1757931

Title:
  Some policy values are not actually respected

Status in neutron:
  New

Bug description:
  I have a (slightly imaginary) deployment in which I want to allow some
  service user to get information about networks belonging to other
  projects, but I don't want this user to be the admin of the entire
  Neutron.

  To satisfy that requirement, I took a look in policy.json and found
  the following default entry:

  "get_network": "rule:admin_or_owner or rule:shared or rule:external or
  rule:context_is_advsvc"

  Naturally I tried to add an additional "or role:some_service_role" in
  order to make it so this special service user would have those extra
  permissions I desire. Unfortunately this did not work. It turns out
  that, at least from my experience, this policy file entry is not
  actually interpreted in a meaningful way by Neutron.

  To test my theory that the policy values are not respected, I tried
  manipulating the following line:

  "external": "field:networks:router:external=True"

  ...just for fun I tried setting external to False, changing the whole
  string to "rule:some_other_rule", etc... from all these policy.json
  changes nothing actually changed in Neutron's behavior.

  Based on the little that I know about how Neutron has its API and
  database logic stitched together, I'm assuming that there is some
  logic there which does something hardcoded equivalent to
  "rule:admin_or_owner or rule:shared or rule:external or
  rule:context_is_advsvc"... but isn't actually looking in the policy
  file to see what the operator might have overridden.

  I wonder if others can reproduce this, and also what the steps forward
  would be.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1757931/+subscriptions