← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #77625

[Bug 1821208] [NEW] [RFE] Only enforce policy when selected option does not match default

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Certain API behaviors are regulated by oslo.policy policy at a granular
level, but also have default values.  If a user supplies API options
that match the defaults, bypass the policy check since the result will
be the same regardless.

A good example of this is creating a port with the the boolean
"enable_port_security" value, which in a typical deployment defaults to
'True'.  The "create_port:port_security_enabled" policy governs this
behavior, and is typically set to "rule:context_is_advsvc or
rule:admin_or_network_owner" which means a non-admin user that is not
the network owner would fail.  Such a user should be able to specify
port_security=True when creating a port and not have that operation fail
the policy check.

Implementation
--------------
The policy check occurs almost immediately upon request reciept.  Check for calls to enforce() in neutron/api/v2/base.py [1].  A data structure would need to be created from the policy-processing code that matches policy names with their respective default values.  Then the enforce() call would be made contingent on divergence from the default.

[1] example:
https://opendev.org/openstack/neutron/src/branch/master/neutron/api/v2/base.py#L468

** Affects: neutron
     Importance: Undecided
         Status: New


** Tags: rfe

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1821208

Title:
  [RFE] Only enforce policy when selected option does not match default

Status in neutron:
  New

Bug description:
  Certain API behaviors are regulated by oslo.policy policy at a
  granular level, but also have default values.  If a user supplies API
  options that match the defaults, bypass the policy check since the
  result will be the same regardless.

  A good example of this is creating a port with the the boolean
  "enable_port_security" value, which in a typical deployment defaults
  to 'True'.  The "create_port:port_security_enabled" policy governs
  this behavior, and is typically set to "rule:context_is_advsvc or
  rule:admin_or_network_owner" which means a non-admin user that is not
  the network owner would fail.  Such a user should be able to specify
  port_security=True when creating a port and not have that operation
  fail the policy check.

  Implementation
  --------------
  The policy check occurs almost immediately upon request reciept.  Check for calls to enforce() in neutron/api/v2/base.py [1].  A data structure would need to be created from the policy-processing code that matches policy names with their respective default values.  Then the enforce() call would be made contingent on divergence from the default.

  [1] example:
  https://opendev.org/openstack/neutron/src/branch/master/neutron/api/v2/base.py#L468

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1821208/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next