Reviewed: https://review.openstack.org/455423 Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=8fad40bd2f945a9c7e9dd446bc5ba0c112730c04 Submitter: Jenkins Branch: master
commit 8fad40bd2f945a9c7e9dd446bc5ba0c112730c04 Author: Felipe Monteiro <[email protected]> Date: Mon Apr 10 19:45:23 2017 +0100 Adding missing neutron policies to policy.json Currently, Neutron's policy.json does not exhaustively list all the policy actions within Neutron. This has some downsides: 1) It makes it harder to override these policy actions 2) It is inconsistent 3) The policy.json should be a "golden copy" of all the policy actions enforced by the system. 4) It makes it harder to RBAC test Neutron (because it is very difficult to determine which policy actions are valid and which are not). The current policy actions that are enforced by the system but not contained in the policy.json are as follows: - create_security_group - delete_security_group - delete_security_group_rule - get_security_group_rules - get_security_groups - get_security_group_rule - get_security_group - update_security_group - update_router - update_router:external_gateway_info - update_router:external_gateway_info:network_id Closes-Bug: #1676674 Change-Id: I4625c8f55bfa46b1a2209642e425677a47455219 ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1676674 Title: Policy.json is not exhaustive, missing many policy actions Status in neutron: Fix Released Bug description: Related bug: https://bugs.launchpad.net/neutron/+bug/1610038 Currently, Neutron's policy.json does not exhaustively list all the policy actions within Neutron. This has some downsides: 1) It makes it harder to override these policy actions (because an operator will have a much harder time coming across it) 2) It is inconsistent: if the intention is to have policy actions like create_security_group default to the default rule, then why include rules like "create_subnetpool": "" in the policy.json? 3) The policy.json should be a "golden copy" of all the policy actions enforced by the system. 4) It makes it harder to RBAC test Neutron (because it is very difficult to determine which policy actions are valid and which are not). The current policy actions that I have identified that are enforced by the system but not contained in the policy.json are as follows: - create_security_group - delete_security_group - delete_security_group_rule - get_security_group_rules - get_security_groups - get_security_group_rule - get_security_group - update_security_group - update_router - update_router:external_gateway_info - update_router:external_gateway_info:network_id To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1676674/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
