yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1671448] Re: [RFE] Neutron quota api should be configurable via policy.json

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1671448@xxxxxxxxxxxxxxxxxx>
Date: Tue, 18 Aug 2020 16:57:51 -0000
Reply-to: Bug 1671448 <1671448@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/507446
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=c9242f9a889f4d69653de4d21bec6060f549ee7b
Submitter: Zuul
Branch:    master

commit c9242f9a889f4d69653de4d21bec6060f549ee7b
Author: andrewbogott <abogott@xxxxxxxxxxxxx>
Date:   Thu Dec 26 23:34:31 2019 -0600

    Allow RBAC on Neutron quotas
    
    This patch adds the support to allow role based access control
    on quota of resources.
    
    Change-Id: I6544d4a0794944abb3e1c2ff89134bf313cf35e8
    Closes-Bug: #1671448


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1671448

Title:
  [RFE] Neutron quota api should be configurable via policy.json

Status in neutron:
  Fix Released

Bug description:
  Neutron does not have rbac rule support for quota in neutron
  policy.json >>
  https://github.com/openstack/neutron/blob/master/etc/policy.json . The
  rbac validations are programmatically hardcoded in the neutron quota
  api flow >>
  https://github.com/openstack/neutron/blob/master/neutron/pecan_wsgi/controllers/quota.py
  . For this reason, we currently do not have a mechanism to configure
  this in neutron policy.json.

  All REST api CRUD calls should have role based access control in place
  and OpenStack uses oslo_policy and policy.json files for this. There
  are rbac rules that are defined in the policy.json (one for each REST
  api CRUD operation) that can be used to configure the roles that can
  access the REST api. The neutron quota REST api however does not have
  this in place. For eg. cinder policy.json has the below rules that can
  be used to configure RBAC on cinder quotas:

  
      "volume_extension:quotas:show": "",
      "volume_extension:quotas:update": "rule:admin_api",
      "volume_extension:quotas:delete": "rule:admin_api",

  https://github.com/openstack/cinder/blob/master/etc/cinder/policy.json#L44

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1671448/+subscriptions

References

[Bug 1671448] [NEW] Neutron quota api RBAC not configurable
From: Divya K Konoor, 2017-03-09