Add missing policy actions to policy.json file
This patchset adds missing policy actions to the policy.json
file for several reasons:
1) It signals to operators all the policy actions that are
enforced in the system. With the governance spec [0]
urging projects toward policy in code documentation,
it makes sense to document all policy actions in the
policy.json as Neutron doesn't have policy in code.
2) It is consistent with Neutron's policy enforcement
documentation [1]:
"For each attribute which has been explicitly specified in the
request create a rule matching policy names in the form
<operation>_<resource>:<attribute> rule"
So it makes sense to capture each policy that is enforced,
including all those with these special attributes.
3) Why include "update_router:external_gateway_info" but not
"create_router:external_gateway_info"? This is inconsistent.
4) It makes it difficult to validate Neutron's policy via Patrole
if the policies aren't contained in the policy.json -- how else
is it possible to determine which policies to expect if they
aren't documented anywhere?
[0] https://governance.openstack.org/tc/goals/queens/policy-in-code.html
[1] https://docs.openstack.org/neutron/pike/contributor/internals/policy.html#authorization-workflow
Change-Id: I40f84134f0b56cfd574dfd69e5ebbf6a3fc2b3df
(cherry picked from commit 41fe927c80
)
This commit is contained in:
parent
45855b7bb3
commit
b5f7bd333e
|
@ -73,6 +73,7 @@
|
|||
"create_port": "",
|
||||
"create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
|
||||
"create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
|
@ -89,6 +90,7 @@
|
|||
"update_port": "rule:admin_or_owner or rule:context_is_advsvc",
|
||||
"update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
|
||||
"update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
|
||||
"update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
|
@ -101,6 +103,8 @@
|
|||
|
||||
"get_router:ha": "rule:admin_only",
|
||||
"create_router": "rule:regular_user",
|
||||
"create_router:external_gateway_info": "rule:admin_or_owner",
|
||||
"create_router:external_gateway_info:network_id": "rule:admin_or_owner",
|
||||
"create_router:external_gateway_info:enable_snat": "rule:admin_only",
|
||||
"create_router:distributed": "rule:admin_only",
|
||||
"create_router:ha": "rule:admin_only",
|
||||
|
|
|
@ -73,6 +73,7 @@
|
|||
"create_port": "",
|
||||
"create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
|
||||
"create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
|
@ -89,6 +90,7 @@
|
|||
"update_port": "rule:admin_or_owner or rule:context_is_advsvc",
|
||||
"update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
|
||||
"update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
"update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
|
||||
"update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
|
||||
|
@ -101,6 +103,8 @@
|
|||
|
||||
"get_router:ha": "rule:admin_only",
|
||||
"create_router": "rule:regular_user",
|
||||
"create_router:external_gateway_info": "rule:admin_or_owner",
|
||||
"create_router:external_gateway_info:network_id": "rule:admin_or_owner",
|
||||
"create_router:external_gateway_info:enable_snat": "rule:admin_only",
|
||||
"create_router:distributed": "rule:admin_only",
|
||||
"create_router:ha": "rule:admin_only",
|
||||
|
|
|
@ -1276,8 +1276,7 @@ class L3NatTestCaseBase(L3NatTestCaseMixin):
|
|||
'ip_address':
|
||||
s2['subnet']['gateway_ip']}
|
||||
with self.port(subnet=s1, fixed_ips=fixed_ips,
|
||||
tenant_id=router_tenant_id,
|
||||
set_context=True) as p:
|
||||
tenant_id=router_tenant_id) as p:
|
||||
kwargs = {'expected_code': expected_code}
|
||||
if not router_action_as_admin:
|
||||
kwargs['tenant_id'] = router_tenant_id
|
||||
|
@ -1778,7 +1777,7 @@ class L3NatTestCaseBase(L3NatTestCaseMixin):
|
|||
gw_info = body['router']['external_gateway_info']
|
||||
self.assertIsNone(gw_info)
|
||||
|
||||
def test_create_router_port_with_device_id_of_other_teants_router(self):
|
||||
def test_create_router_port_with_device_id_of_other_tenants_router(self):
|
||||
with self.router() as admin_router:
|
||||
with self.network(tenant_id='tenant_a',
|
||||
set_context=True) as n:
|
||||
|
@ -1792,7 +1791,7 @@ class L3NatTestCaseBase(L3NatTestCaseMixin):
|
|||
set_context=True,
|
||||
expected_res_status=exc.HTTPConflict.code)
|
||||
|
||||
def test_create_non_router_port_device_id_of_other_teants_router_update(
|
||||
def test_create_non_router_port_device_id_of_other_tenants_router_update(
|
||||
self):
|
||||
# This tests that HTTPConflict is raised if we create a non-router
|
||||
# port that matches the device_id of another tenants router and then
|
||||
|
|
Loading…
Reference in New Issue