On last drivers team meeting we agreed to abandon this rfe as this is
going to address only corner case which can be easily workarounded.
** Changed in: neutron
Status: Confirmed => Won't Fix
** Tags removed: rfe-triaged
** Tags added: rfe
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1821208
Title:
[RFE] Only enforce policy when selected option does not match default
Status in neutron:
Won't Fix
Bug description:
Certain API behaviors are regulated by oslo.policy policy at a
granular level, but also have default values. If a user supplies API
options that match the defaults, bypass the policy check since the
result will be the same regardless.
A good example of this is creating a port with the the boolean
"enable_port_security" value, which in a typical deployment defaults
to 'True'. The "create_port:port_security_enabled" policy governs
this behavior, and is typically set to "rule:context_is_advsvc or
rule:admin_or_network_owner" which means a non-admin user that is not
the network owner would fail. Such a user should be able to specify
port_security=True when creating a port and not have that operation
fail the policy check.
Implementation
--------------
The policy check occurs almost immediately upon request reciept. Check for
calls to enforce() in neutron/api/v2/base.py [1]. A data structure would need
to be created from the policy-processing code that matches policy names with
their respective default values. Then the enforce() call would be made
contingent on divergence from the default.
[1] example:
https://opendev.org/openstack/neutron/src/branch/master/neutron/api/v2/base.py#L468
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1821208/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
