Add missing policy actions to policy.json file

This patchset adds missing policy actions to the policy.json
file for several reasons:

1) It signals to operators all the policy actions that are
   enforced in the system. With the governance spec [0]
   urging projects toward policy in code documentation,
   it makes sense to document all policy actions in the
   policy.json as Neutron doesn't have policy in code.

2) It is consistent with Neutron's policy enforcement
   documentation [1]:

   "For each attribute which has been explicitly specified in the
    request create a rule matching policy names in the form
    <operation>_<resource>:<attribute> rule"

    So it makes sense to capture each policy that is enforced,
    including all those with these special attributes.

3) Why include "update_router:external_gateway_info" but not
   "create_router:external_gateway_info"? This is inconsistent.

4) It makes it difficult to validate Neutron's policy via Patrole
   if the policies aren't contained in the policy.json -- how else
   is it possible to determine which policies to expect if they
   aren't documented anywhere?

[0] https://governance.openstack.org/tc/goals/queens/policy-in-code.html
[1] https://docs.openstack.org/neutron/pike/contributor/internals/policy.html#authorization-workflow

Change-Id: I40f84134f0b56cfd574dfd69e5ebbf6a3fc2b3df
(cherry picked from commit 41fe927c80)
This commit is contained in:
Felipe Monteiro 2018-06-22 17:32:21 +01:00 committed by Slawek Kaplonski
parent 45855b7bb3
commit b5f7bd333e
3 changed files with 11 additions and 4 deletions

View File

@ -73,6 +73,7 @@
"create_port": "",
"create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
"create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
"create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
"create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
"create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
"create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
@ -89,6 +90,7 @@
"update_port": "rule:admin_or_owner or rule:context_is_advsvc",
"update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
"update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
"update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
"update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
"update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
"update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
@ -101,6 +103,8 @@
"get_router:ha": "rule:admin_only",
"create_router": "rule:regular_user",
"create_router:external_gateway_info": "rule:admin_or_owner",
"create_router:external_gateway_info:network_id": "rule:admin_or_owner",
"create_router:external_gateway_info:enable_snat": "rule:admin_only",
"create_router:distributed": "rule:admin_only",
"create_router:ha": "rule:admin_only",

View File

@ -73,6 +73,7 @@
"create_port": "",
"create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
"create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
"create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
"create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
"create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
"create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
@ -89,6 +90,7 @@
"update_port": "rule:admin_or_owner or rule:context_is_advsvc",
"update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
"update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
"update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
"update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
"update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
"update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
@ -101,6 +103,8 @@
"get_router:ha": "rule:admin_only",
"create_router": "rule:regular_user",
"create_router:external_gateway_info": "rule:admin_or_owner",
"create_router:external_gateway_info:network_id": "rule:admin_or_owner",
"create_router:external_gateway_info:enable_snat": "rule:admin_only",
"create_router:distributed": "rule:admin_only",
"create_router:ha": "rule:admin_only",

View File

@ -1276,8 +1276,7 @@ class L3NatTestCaseBase(L3NatTestCaseMixin):
'ip_address':
s2['subnet']['gateway_ip']}
with self.port(subnet=s1, fixed_ips=fixed_ips,
tenant_id=router_tenant_id,
set_context=True) as p:
tenant_id=router_tenant_id) as p:
kwargs = {'expected_code': expected_code}
if not router_action_as_admin:
kwargs['tenant_id'] = router_tenant_id
@ -1778,7 +1777,7 @@ class L3NatTestCaseBase(L3NatTestCaseMixin):
gw_info = body['router']['external_gateway_info']
self.assertIsNone(gw_info)
def test_create_router_port_with_device_id_of_other_teants_router(self):
def test_create_router_port_with_device_id_of_other_tenants_router(self):
with self.router() as admin_router:
with self.network(tenant_id='tenant_a',
set_context=True) as n:
@ -1792,7 +1791,7 @@ class L3NatTestCaseBase(L3NatTestCaseMixin):
set_context=True,
expected_res_status=exc.HTTPConflict.code)
def test_create_non_router_port_device_id_of_other_teants_router_update(
def test_create_non_router_port_device_id_of_other_tenants_router_update(
self):
# This tests that HTTPConflict is raised if we create a non-router
# port that matches the device_id of another tenants router and then