Public bug reported: I'm trying to set a custom policy.json for Neutron based on new roles I have defined.
In this task, I changed the "default" policy from "rule: admin_or_owner" to "rule:admin_only". After that, a bunch of operations stopped working, including, for instance, a regular user deleting a network or a router of his/her own project. Even with the policy for "delete_network" unchanged -- rule:admin_or_owner --, only the admin could delete a network. I put a print statement in neutron.openstack.common.policy.check method to investigate what was happening. On the following lines you can compare the debug message in the logs with the actual content of the "rule" parameter passed to "check". - - - DEBUG neutron.policy [...] Failed policy check for 'delete_network' (((rule:delete_network and rule:delete_network:provider:physical_network) and rule:delete_network:provider:network_type) and rule:delete_network:provider:segmentation_id) - - - DEBUG neutron.policy [...] Failed policy check for 'delete_port' (((((((rule:delete_port and rule:delete_port:binding:host_id) and rule:delete_port:allowed_address_pairs) and rule:delete_port:binding:vif_details) and rule:delete_port:binding:vif_ty pe) and rule:delete_port:mac_address) and rule:delete_port:binding:profile) and rule:delete_port:fixed_ips) - - - DEBUG neutron.policy [...] Failed policy check for 'delete_router' (rule:delete_router and rule:delete_router:distributed) - - - DEBUG neutron.policy [...] Failed policy check for 'update_subnet' (rule:update_subnet and rule:update_subnet:shared) - in this case, there is no "update_subnet:shared" rule, but there is a "subnets:shared:write" rule (which doesn't seem to be used). - - - These are the tests I've implemented that got broken after changing the default rule. The update tests simply try to rename the resource. test_delete_network_of_own_project test_delete_port_own_project test_add_router_interface_to_router_of_own_project* test_delete_router_of_own_project test_remove_router_interface_from_router_of_own_project* test_update_router_of_own_project test_update_shared_subnet_of_own_project * these tests got broken because of this bug: https://bugs.launchpad.net/neutron/+bug/1356678. ** Affects: neutron Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1356679 Title: Neutron is checking stricter policies than an operator would expect Status in OpenStack Neutron (virtual network service): New Bug description: I'm trying to set a custom policy.json for Neutron based on new roles I have defined. In this task, I changed the "default" policy from "rule: admin_or_owner" to "rule:admin_only". After that, a bunch of operations stopped working, including, for instance, a regular user deleting a network or a router of his/her own project. Even with the policy for "delete_network" unchanged -- rule:admin_or_owner --, only the admin could delete a network. I put a print statement in neutron.openstack.common.policy.check method to investigate what was happening. On the following lines you can compare the debug message in the logs with the actual content of the "rule" parameter passed to "check". - - - DEBUG neutron.policy [...] Failed policy check for 'delete_network' (((rule:delete_network and rule:delete_network:provider:physical_network) and rule:delete_network:provider:network_type) and rule:delete_network:provider:segmentation_id) - - - DEBUG neutron.policy [...] Failed policy check for 'delete_port' (((((((rule:delete_port and rule:delete_port:binding:host_id) and rule:delete_port:allowed_address_pairs) and rule:delete_port:binding:vif_details) and rule:delete_port:binding:vif_ty pe) and rule:delete_port:mac_address) and rule:delete_port:binding:profile) and rule:delete_port:fixed_ips) - - - DEBUG neutron.policy [...] Failed policy check for 'delete_router' (rule:delete_router and rule:delete_router:distributed) - - - DEBUG neutron.policy [...] Failed policy check for 'update_subnet' (rule:update_subnet and rule:update_subnet:shared) - in this case, there is no "update_subnet:shared" rule, but there is a "subnets:shared:write" rule (which doesn't seem to be used). - - - These are the tests I've implemented that got broken after changing the default rule. The update tests simply try to rename the resource. test_delete_network_of_own_project test_delete_port_own_project test_add_router_interface_to_router_of_own_project* test_delete_router_of_own_project test_remove_router_interface_from_router_of_own_project* test_update_router_of_own_project test_update_shared_subnet_of_own_project * these tests got broken because of this bug: https://bugs.launchpad.net/neutron/+bug/1356678. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1356679/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp