Remove calls to policy.enforce from plugin and db logic
Blueprint make-authz-orthogonal This patch implementes item #2 of the blueprint Remove calls to policy.enforce when the policy check can be performed safely at the API level, and modify policy.json to this aim. This patch does not address enforce calls in the agent scheduler extension, as that extension is currently not defined as a quantum.v2.api resource class. This patch also adds an API-level test case for the provider networks extension, which was missing in Quantum and was necessary to validate the API behaviour with the default policy settings. Change-Id: I1c20a5870279bc5fce4470c90a210eae59675b0c
This commit is contained in:
parent
393cdd8ce8
commit
b3d5d163a4
|
@ -12,7 +12,6 @@
|
||||||
"extension:provider_network:set": "rule:admin_only",
|
"extension:provider_network:set": "rule:admin_only",
|
||||||
|
|
||||||
"extension:router:view": "rule:regular_user",
|
"extension:router:view": "rule:regular_user",
|
||||||
"extension:router:set": "rule:admin_only",
|
|
||||||
|
|
||||||
"extension:port_binding:view": "rule:admin_only",
|
"extension:port_binding:view": "rule:admin_only",
|
||||||
"extension:port_binding:set": "rule:admin_only",
|
"extension:port_binding:set": "rule:admin_only",
|
||||||
|
@ -31,7 +30,13 @@
|
||||||
"get_network": "rule:admin_or_owner or rule:shared or rule:external",
|
"get_network": "rule:admin_or_owner or rule:shared or rule:external",
|
||||||
"create_network:shared": "rule:admin_only",
|
"create_network:shared": "rule:admin_only",
|
||||||
"create_network:router:external": "rule:admin_only",
|
"create_network:router:external": "rule:admin_only",
|
||||||
|
"create_network:provider:network_type": "rule:admin_only",
|
||||||
|
"create_network:provider:physical_network": "rule:admin_only",
|
||||||
|
"create_network:provider:segmentation_id": "rule:admin_only",
|
||||||
"update_network": "rule:admin_or_owner",
|
"update_network": "rule:admin_or_owner",
|
||||||
|
"update_network:provider:network_type": "rule:admin_only",
|
||||||
|
"update_network:provider:physical_network": "rule:admin_only",
|
||||||
|
"update_network:provider:segmentation_id": "rule:admin_only",
|
||||||
"delete_network": "rule:admin_or_owner",
|
"delete_network": "rule:admin_or_owner",
|
||||||
|
|
||||||
"create_port": "",
|
"create_port": "",
|
||||||
|
|
Loading…
Reference in New Issue