yahoo-eng-team team mailing list archive

[Slawek Kaplonski <1821208@xxxxxxxxxxxxxxxxxx>]

On last drivers team meeting we agreed to abandon this rfe as this is
going to address only corner case which can be easily workarounded.

** Changed in: neutron
       Status: Confirmed => Won't Fix

** Tags removed: rfe-triaged
** Tags added: rfe

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1821208

Title:
  [RFE] Only enforce policy when selected option does not match default

Status in neutron:
  Won't Fix

Bug description:
  Certain API behaviors are regulated by oslo.policy policy at a
  granular level, but also have default values.  If a user supplies API
  options that match the defaults, bypass the policy check since the
  result will be the same regardless.

  A good example of this is creating a port with the the boolean
  "enable_port_security" value, which in a typical deployment defaults
  to 'True'.  The "create_port:port_security_enabled" policy governs
  this behavior, and is typically set to "rule:context_is_advsvc or
  rule:admin_or_network_owner" which means a non-admin user that is not
  the network owner would fail.  Such a user should be able to specify
  port_security=True when creating a port and not have that operation
  fail the policy check.

  Implementation
  --------------
  The policy check occurs almost immediately upon request reciept.  Check for calls to enforce() in neutron/api/v2/base.py [1].  A data structure would need to be created from the policy-processing code that matches policy names with their respective default values.  Then the enforce() call would be made contingent on divergence from the default.

  [1] example:
  https://opendev.org/openstack/neutron/src/branch/master/neutron/api/v2/base.py#L468

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1821208/+subscriptions