Public bug reported:
Related bug: https://bugs.launchpad.net/neutron/+bug/1610038
Currently, Neutron's policy.json does not exhaustively list all the
policy actions within Neutron.
This has some downsides:
1) It makes it harder to override these policy actions (because an operator
will have a much harder time coming across it)
2) It is inconsistent: if the intention is to have policy actions like
create_security_group default to the default rule, then why include rules like
"create_subnetpool": "" in the policy.json?
3) The policy.json should be a "golden copy" of all the policy actions
enforced by the system.
4) It makes it harder to RBAC test Cinder (because it is very difficult to
determine which policy actions are valid and which are not).
The current policy actions that I have identified that are enforced by the
system but not contained in the policy.json are as follows:
- create_security_group
- delete_security_group
- delete_security_group_rule
- get_security_group_rules
- get_security_groups
- get_security_group_rule
- get_security_group
- update_security_group
- update_router
- update_router:external_gateway_info
- update_router:external_gateway_info:network_id
** Affects: neutron
Importance: Undecided
Assignee: Felipe Monteiro (fm577c)
Status: New
** Changed in: neutron
Assignee: (unassigned) => Felipe Monteiro (fm577c)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1676674
Title:
Policy.json is not exhaustive, missing many policy actions
Status in neutron:
New
Bug description:
Related bug: https://bugs.launchpad.net/neutron/+bug/1610038
Currently, Neutron's policy.json does not exhaustively list all the
policy actions within Neutron.
This has some downsides:
1) It makes it harder to override these policy actions (because an operator
will have a much harder time coming across it)
2) It is inconsistent: if the intention is to have policy actions like
create_security_group default to the default rule, then why include rules like
"create_subnetpool": "" in the policy.json?
3) The policy.json should be a "golden copy" of all the policy actions
enforced by the system.
4) It makes it harder to RBAC test Cinder (because it is very difficult to
determine which policy actions are valid and which are not).
The current policy actions that I have identified that are enforced by the
system but not contained in the policy.json are as follows:
- create_security_group
- delete_security_group
- delete_security_group_rule
- get_security_group_rules
- get_security_groups
- get_security_group_rule
- get_security_group
- update_security_group
- update_router
- update_router:external_gateway_info
- update_router:external_gateway_info:network_id
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1676674/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
