In case of policy rule checks for rules like e.g.
"create_port:fixed_ips:subnet" couldn't be created to be
passed to policy enforcer because policy module could only
create rule checks for subattributes which are dict types.
With this patch checks for such rules can be created also for
attributes which are list of dicts, like e.g. fixed_ips in port
resource.
Conflicts:
etc/policy.json
neutron/tests/etc/policy.json
Change-Id: I02fffe77f57a513d2362df78885d327042bb8095
Closes-Bug: #1822105
(cherry picked from commit 9318fb8bb9)
(cherry picked from commit a238b1bed6)
(cherry picked from commit 73bbfa4315)
Today our unit test code uses various ways to "patch" the global
RESOURCE_ATTRIBUTE_MAP as well as extension specific maps in some cases.
This patch consolidates such patching whereby tests should use neutron's
AttributeMapMemento in their setup() chain (only once) if they update
the global map and they should individually handle backup/restore of per
extension map updates. This change will simplify the code and make it
easier to phase-in API definition usage with neutron-lib where we have
some as API definitions and others not. Longer term the
AttributeMapMemento will be replace with neutron-lib's fixture as we
move all extension maps to API definitions in neutron-lib.
Change-Id: I2586f0b11b107d7f57214a0d65bcf7c38a5f0ebb
Drops unit tests related to fwaas policies.
Tests related to get_firewall_policy/rule are also unnecessary.
They have been migrated to neutron-fwaas already.
Closes-Bug: #1703347
Depends-On: I6dc6b2295a605444c918e44949f4b1485177e82e
Change-Id: Ie866f140fd4e5537ff0d757304ab5279f0cf0a79
The well known service type constants are in
neutron_lib.plugins.constants, but for legacy reasons a few still exist
and are referenced from neutron_lib.constants that we'd like to remove.
This patch switches references over to neutron_lib's plugin constants.
Change-Id: I1861448cec303725b30cef8f42029f467f9e03a3
Register a new extension into Neutron server, and this extension
contains a member action. if new member action contains the "update"
string. As a result, Neutron server check the target whether contains
"ATTRIBUTES_TO_UPDATE". Because this is a member action so that neutron
server will not go "_update" method normally but "_handle_action"
method. So the exception happens KeyError: 'attributes_to_update'.
Co-Authored-By: zhang ping<ping.zhang@easystack.cn>
Change-Id: Ie8bb7b9af42a82aada28d2bcdfd5b0e573ad9778
Closes-Bug: #1606455
Neutron Manager is loaded at the very startup of the neutron
server process and with it plugins are loaded and stored for
lookup purposes as their references are widely used across the
entire neutron codebase.
Rather than holding these references directly in NeutronManager
this patch refactors the code so that these references are held
by a plugin directory.
This allows subprojects and other parts of the Neutron codebase
to use the directory in lieu of the manager. The result is a
leaner, cleaner, and more decoupled code.
Usage pattern [1,2] can be translated to [3,4] respectively.
[1] manager.NeutronManager.get_service_plugins()[FOO]
[2] manager.NeutronManager.get_plugin()
[3] directory.get_plugin(FOO)
[4] directory.get_plugin()
The more entangled part is in the neutron unit tests, where the
use of the manager can be simplified as mocking is typically
replaced by a call to the directory add_plugin() method. This is
safe as each test case gets its own copy of the plugin directory.
That said, unit tests that look more like API tests and that rely on
the entire plugin machinery, need some tweaking to avoid stumbling
into plugin loading failures.
Due to the massive use of the manager, deprecation warnings are
considered impractical as they cause logs to bloat out of proportion.
Follow-up patches that show how to adopt the directory in neutron
subprojects are tagged with topic:plugin-directory.
NeutronLibImpact
Partially-implements: blueprint neutron-lib
Change-Id: I7331e914234c5f0b7abe836604fdd7e4067551cf
Parent foreign key extraction requires another database fetch per object
validates, which does not scale well. To mitigate the issue, cache
extracted parent key values in a global policy cache dictionary.
Use oslo.cache to maintain cache. Hardcode expiration timeout for
policy lookups to 5 secs.
Change-Id: I6b3d7c96b7487c9bef6d39a28c76fea0721c3098
Related-Bug: #1513782
Remove deprecation warnings for various constants
and exceptions that have moved to neutron_lib.
Fix miscellaneous other deprecations.
Uses constants instead of l3_constants when importing
neutron-lib constants.
Co-Authored By: Henry Gessau <gessau@gmail.com>
Co-Authored By: Gary Kotton <gkotton@vmware.com>
Change-Id: Ib0e8ff5c3e23677c1009241a1818cbc8a3430c38
Currently the default value of target_tenant in rbac_policies resource
is None, if a user creates rbac policy without a target_tenant,
neutron-server raises an internal error.
This patch adds a check for target_tenant, it must be a string which
length is TENANT_ID_MAX_LEN.
This patch also does a change for policy engine which now allows
enforce_policy to work on attrs without default.
Change-Id: I757b4b56a8cb1a8060cee3103ee2aead9be574de
Closes-bug: #1517331
During a port list operation, a port and its parent network
may be concurrently deleted from the database after they have
been retrieved from the DB but before policy is enforced.
Then when the policy engine tries to do a get_network to check
network ownership for a port on a network that no longer exists,
it will encounter a NetworkNotFound exception from the core plugin.
This exception was being propagated all of the way up to the whole
API operation as a 404, which made no sense in the context of a
port list.
This patch adjusts the logic to catch any NotFound exceptions during
this processing and convert them into a RetryRequest to trigger the
API to restart the operation. At this point the objects will be gone
from the database so the problematic items will not be passed to the
policy engine for enforcement.
Closes-Bug: #1528031
Change-Id: I89d12fe0767e1c7ecb68138b5f6f17aa68a68769
Now that we have the constant defined, we should reuse it from other
code to avoid potential typos.
Change-Id: Id7a941c1a461264ba44893d97cc6226f092e9888
The patch also improves the way in which the assertTrue (and
similarly assertFalse) are done,
We should use assertFalse not assertEqual.
Co-Authored-By: Gary Kotton <gkotton@vmware.com>
Closes-Bug: #1503074
Change-Id: I5f527ddf2ca522cdf101de2482d59f059eca010f
This replaces a mock on an internal oslo_policy http class
with a public fixture they provide.
Related-Bug: #1503890
Change-Id: Ifa445b699f71379c7922960375a5e1d25f873f91
We were mocking internal behavior of oslo policy by
patching urllib. This will break with the upcoming oslo
release that switches to requests.
This patch changes the mock to the HTTPCheck level and we
can leave implementation details testing up to oslo_policy.
Change-Id: I07957f01307e25f1547197c720eea6e3e7f0ef5a
Closes-Bug: #1503890
(cherry picked from commit a0f1d9d6de)
Add testresources used by oslo.db fixture
If we use oslo.db fixtures, we'll need the package or
the next version of oslo.db release will break us.
Closes-Bug: #1503501
Change-Id: I7dfbf240333095d91a414ba15a439bdc4804eb25
(cherry picked from commit 86ad967e40)
Fix functional test_server tests
Now oslo.service 0.10.0 no longer sends SIGHUP to parent and
children services.
This was a chance introduced by 286a6ea, and since it invalidated
the very logic under test, this must be revised.
(cherry picked from commit 090fe71359)
Change-Id: I18a11283925369bc918002477774f196010a1bc3
Closes-bug: #1505438
(cherry picked from commit 090fe71359)
Make test_server work with older versions of oslo.service
Change I18a11283925369bc918002477774f196010a1bc3 fixed the test for
oslo.service >= 0.10.0, but it also broke it for older versions of
oslo.service. Since the library has minimal version of >= 0.7.0 in
requirements.txt, test should pass for those versions too.
Now, instead of validating that either reset() or restart() of workers
are triggered on SIGHUP, just validate that .start() is triggered the
expected number of times (either way, no matter how oslo.service decide
to clean up the children, they exit and then are respawned).
Change-Id: I41f9d3af780b3178b075bc1e7084f417a2bd1378
Closes-Bug: #1505645
(cherry picked from commit 7bb4092166)
Fixed multiple py34 gate issues
1. Scope mock of 'open' to module
By mocking 'open' at the module level, we can avoid affecting
'open' calls from other modules.
2. Stop using LOG.exception in contexts with no sys.exc_info set
Python 3.4 logger fills in record.exc_info with sys.exc_info() result
[1], and then it uses it to determine the current exception [2] to
append to the log message. Since there is no exception, exc_info[1] is
None, and we get AttributeError inside traceback module.
It's actually a bug in Python interpreter that it attempt to access the
attribute when there is no exception. It turns out that it's fixed in
latest master of cPython [3] (the intent of the patch does not seem
relevant, but it removes the offending code while reshuffling the code).
Note that now cPython correctly checks the exception value before
accessing its attributes [4].
The patch in cPython that resulted in the failure is [5] and is present
since initial Python 3k releases.
The patch in fixtures that broke us is [6].
[1]: https://hg.python.org/cpython/file/tip/Lib/logging/__init__.py#l1412
[2]: https://hg.python.org/cpython/file/tip/Lib/logging/__init__.py#l575
[3]: https://hg.python.org/cpython/rev/73afda5a4e4c
[4]: https://hg.python.org/cpython/rev/73afda5a4e4c#l6.484
[5]: https://hg.python.org/cpython/rev/2ee09afee126
[6]: 67dd295694
Closes-Bug: #1503847
Closes-Bug: #1504053
Co-Authored-By: Ihar Hrachyshka <ihrachys@redhat.com>
Change-Id: I456b7846b8a53e4d3f8c91583685e0e1eaa84719
(cherry picked from commit 8f58bbf38f)
We were mocking internal behavior of oslo policy by
patching urllib. This will break with the upcoming oslo
release that switches to requests.
This patch changes the mock to the HTTPCheck level and we
can leave implementation details testing up to oslo_policy.
Change-Id: I07957f01307e25f1547197c720eea6e3e7f0ef5a
Closes-Bug: #1503890
This patch adjusts the FieldCheck class in the policy engine to
allow a regex rule. It then leverages that to prevent users from
setting the device_owner field to anything that starts with
'network:' on networks which they do not own.
This policy adjustment is necessary because any ports with a
device_owner that starts with 'network:' will not have any security
group rules applied because it is assumed they are trusted network
devices (e.g. router ports, DHCP ports, etc). These security rules
include the anti-spoofing protection for DHCP, IPv6 ICMP messages,
and IP headers.
Without this policy adjustment, tenants can abuse this trust when
connected to a shared network with other tenants by setting their
VM port's device_owner field to 'network:<anything>' and hijack other
tenants' traffic via DHCP spoofing or MAC/IP spoofing.
Closes-Bug: #1489111
Change-Id: Ia64cf16142e0e4be44b5b0ed72c8e00792d770f9
Some non intrusive changes to tests are needed, so that we don't rely on
library symbols that are now private (f.e. parse_rule).
Closes-Bug: #1458945
Change-Id: I90326479e908042fec9ecb25fa19a8dd5b15e7d8
It served and warned users for enough time (since Icehouse) to be sure
everyone was notified about the need to update their policy file.
Change-Id: I240b935741e49fbf65c0b95715af04af4b2a73e7
get_admin_roles was introduced so that contextes generated from
within plugins could be used for policy checks. This was the case
up to the Havana release as several plugins invoked the policy
engine directly to authorize requests.
This was an incorrect behaviour and has now been fixed, meaning
that get_admin_roles is no longer need and can be safely removed.
This will result in a leaner and more reliable codebase. Indeed the
function being removed here was the cause of several bugs where the
policy engine was initialized too early in the server bootstrap
process.
While this patch removes the feature it does not remove the
load_admin_roles parameter from context.get_admin_context. Doing so
will break other projects such as neutron-lbaas. The parameter is
deprecated by this patch and an appropriate warning emitted.
As a consequence neutron's will now no longer perform policy checks
when context.is_admin=True. This flag is instead set either when
a context is explicitly created for granting admin privileges, or
when Neutron is operating in noauth mode. In the latter case every
request is treated by neutron as an admin request, and get_admin_roles
is simply ensuring the appropriate roles get pushed into the context
so that the policy engine will grant admin rights to the request.
This behaviour is probably just a waste of resource; also it is not
adding anything from a security perspective.
On the other hand not performing checks when context.is_admin is
True should not pose a security threat either in noauth mode or
with the keystone middleware. In the former case the software keeps
operating assuming admin rights for every requests, whereas in the
latter case the keystone middleware will always supply a context
with the appropriate roles, and there is no way for an attacker
to trick keystonemiddleware into generating a context for which
is_admin=True.
Finally, this patch also does some non-trivial changes in test_l3.py
as some tests were mocking context.to_dict ignoring the is_admin flag.
Closes-Bug: #1446021
Change-Id: I8a5c02712a0b43f3e36a4f14620ebbd73fbfb03f
With this commit, it is possible to successfully run 'tox -epy34', even though
only a small amount of tests will actually be run. This is a required step in
making Neutron compatible with Python 3, as described in the 'Porting to Python
3' specification.
This commit:
- fixes some broken imports, while making sure they still work with Python 3;
- updates a call to gettext.install;
- adds a py34 target in tox.ini.
Change-Id: I91cc7a992d05ea85f7004d1c5a45a1c02cbf1c85
Blueprint: neutron-python3
This patch adds following actions into policy.json.
1. v2.0/fw/firewall_policies/{firewall_policy_id}/insert_rule
2. v2.0/fw/firewall_policies/{firewall_policy_id}/remove_rule
Closes-Bug: #1439383
Change-Id: I8051a97852f0f1f21bf266c16a477a5e2fd32062
Removed use of contextlib.nested call from codebase, as it has been
deprecated since Python 2.7.
There are also known issues with contextlib.nested that were addressed
by the native support for multiple "with" variables. For instance, if
the first object is created but the second one throws an exception,
the first object's __exit__ is never called. For more information see
https://docs.python.org/2/library/contextlib.html#contextlib.nested
contextlib.nested is also not compatible with Python 3.
This is the first patch in a series for removing use of
contextlib.nested.
Added hacking check to catch if any new instances are added to
the codebase.
Line continuation markers (e.g. '\') had to be used or syntax
errors were thrown. While using parentheses is the preferred way
for multiple line statements, but in case of long with statements
backslashes are acceptable.
Partial-Bug: 1428424
Change-Id: I171fbdb89892a3d4548bf2ca52f4a7dd9ef8dccb
This routine in policy.py used to have a backward compatibility
check to ensure proper behaviour even when the policy.json file
did not have a specific 'context_is_admin' policy.
However, this backward compatibility check does not work. It
appears indeed that it has been broken for several release cycles;
it is also possible that actually it never worked.
When the 'context_is_admin' policy is not in the policy.json file
the enforcer simply ends up evaluating whatever is the default
policy configured there.
Therefore this patch:
- Removes the backward compatibility check, since it does not work
- Fails, for safety, check_is_admin if 'context_is_admin' policy is
not specified
- Fixeds check_is_advsvc in the same way (the backward compatibility
check never made any sense for this function)
- Fixes unit tests adding appropriate tests for check_is_admin and
check_is_advsvc
Change-Id: Ia47e5781d86a3f21b9d837c9ac70a62ac435d20b
Closes-Bug: #1445690
Some neutron resource with special plural form
can not apply the policy control using policy.json
when create/update/delete the resource.
Following resources can not apply the policy control
because of wrong pluralize process:
* firewall_policy
* ipsec_policy
* ikepolicy
Current pluralize process is as following:
"resource" + "s"
e.g. *_policy -> *_policys
This fix enables to apply the policy control with those resources.
*_policy -> *_policies
Change-Id: I38a55e95f653f69edd477dbbcbdd6e956c0a0e2b
Closes-Bug: 1407886
This is needed to avoid test cases breaking policy file search code from
oslo.config by mocking out stdlib functions from os module like
os.path.isdir or os.path.exists.
This also allows us to remove explicit policy setup from test_api_v2 and
test_policy files.
Note that for test_netns_cleanup, test_ovs_cleanup, and test_config, we
removed test_setup_conf test cases. They test a function that is used in
other test cases only, and hence do not belong to the suite. This allows
us to avoid hacks around those test cases that do not play nice with
global config-file options we set in BaseTestCase.
Change-Id: If14a3c741837193ad104467f0cf4486a6a386e6d
Closes-Bug: #1426369
Oslo project decided to move away from using oslo.* namespace for all their
libraries [1], so we should migrate to new import path.
This patch applies new paths for:
- oslo.config
- oslo.db
- oslo.i18n
- oslo.messaging
- oslo.middleware
- oslo.rootwrap
- oslo.serialization
- oslo.utils
Added hacking check to enforce new import paths for all oslo libraries.
Updated setup.cfg entry points.
We'll cleanup old imports from oslo-incubator modules on demand or
if/when oslo officially deprecates old namespace in one of the next
cycles.
[1]: https://blueprints.launchpad.net/oslo-incubator/+spec/drop-namespace-packages
Depends-On: https://review.openstack.org/#/c/147248/
Depends-On: https://review.openstack.org/#/c/152292/
Depends-On: https://review.openstack.org/#/c/147240/
Closes-Bug: #1409733
Change-Id: If0dce29a0980206ace9866112be529436194d47e
Instead, provide self.get_temp_file_path() utility method for tests
interested in creating temporary files.
There also cases when tests are interested in multiple separate
temporary directories. With this in mind, self.get_temp_file_path()
supports root= argument that allows to pass a different temporary
directory fixture than default.
While at it, consolidated cleanup setup for NEC temporary file in single
place.
Change-Id: Ie041edcfde1b16183244a3e6068658308d2a67f5
Common policy has not been synced with oslo-incubator for a
long time and is seriously outdated.
This change pulls in fresh code from oslo-incubator which
introduces the Enforcer class to replace the old check function.
Rewrite neutron.policy using naming conventions and approach
that was set in Nova and amend related unit tests.
Remove neutron.common.exceptions.PolicyNotAuthorized and switch
to neutron.openstack.common.policy.PolicyNotAuthorized.
Drop Neutron specific policy_file option since now it is defined
in oslo-incubator policy module.
Change log:
4ca5091 Fixes nits in module policy
262fc82 Correct default rule name for policy.Enforcer
9e8b9f6 Minor fixes in policy module
6c706c5 Delete graduated serialization files
5d40e14 Remove code that moved to oslo.i18n
aebb58f Fix typo to show correct log message
bb410d9 Use MultiStrOpt for policy_dirs
33f44bf Add support for policy configration directories
2b966f9 Fix deletion of cached file for policy enforcer
238e601 Make policy debug logging less verbose
fe3389e Improve help strings
15722f1 Adds a flag to determine whether to reload the rules in policy
5d1f15a Documenting policy.json syntax
fcf517d Update oslo log messages with translation domains
e038d89 Fix policy tests for parallel testing
0da5de6 Allow policy.json resource vs constant check
e4b2334 Replaces use of urlutils with six in policy module
8b2b0b7 Use hacking import_exceptions for gettextutils._
0d8f18b Use urlutils functions instead of urllib/urllib2
12bcdb7 Remove vim header
9ef9fec Use six.string_type instead of basestring
4bfb7a2 Apply six for metaclass
1538c80 ConfigFileNotFoundError with proper argument
33533b0 Keystone user can't perform revoke_token
64bb5e2 Fix wrong argument in openstack common policy
b7edc99 Fix missing argument bug in oslo common policy
3626b6d Fix policy default_rule issue
7bf8ee9 Allow use of hacking 0.6.0 and enable new checks
e4ac367 Fix missing argument bug in oslo common policy
1a2df89 Enable H302 hacking check
7119e29 Enable hacking H404 test.
6d27681 Enable H306 hacking check.
1091b4f Reduce duplicated code related to policies
Closes-Bug: #1288178
Change-Id: I87ee30e2b64ec6b07faa84a231fd5f7eb925d501
Add in a default "advsvc" user and the logic in the Neutron policy
infrastructure which will allow this user to create/get/update/delete
ports on other tenants networks, as well as view other tenants
networks. This is for the use case of letting advanced services have
a user to put ports on other tenants networks. By default, we do not
define any roles for the policy "context_is_advsvc", but rely on
operators to specify the likely value of "role advsvc".
DocImpact
Closes-Bug: #1331836
Change-Id: I94cb3383eb1fed793934719603f888dbbdbbd85a
Co-Authored-By: Susanne Balle <sleipnir012@gmail.com>
A regular user can reset an admin-only attribute to its default
value due to the fact that a corresponding policy rule is
enforced only in the case when an attribute is present in the
target AND has a non-default value.
Added a new attribute "attributes_to_update" which contains a list
of all to-be updated attributes to the body of the target that is
passed to policy.enforce.
Changed a check for whether an attribute is explicitly set.
Now, in the case of update, the function should not pay attention
to a default value of an attribute, but check whether it was
explicitly marked as being updated.
Added unit-tests.
Closes-Bug: #1357379
Related-Bug: #1338880
Change-Id: I6537bb1da5ef0d6899bc71e4e949f2c760c103c2
There are a lot of policy rules which should not necessarily
be explicitly specified in policy.json to be checked while enforcement.
There should be a way for an operator to know which policy rules are
actually being enforced for each action.
Added a unit test.
Change-Id: I261d3e230eced9ea514b35cc3f5f8be04f84c751
Closes-Bug: #1356679
jsonutils provides multiple benefits in comparison to pure stdlib json
(like using simplejson on Python 2.6).
Similar patch was already merged before [1], but since it lacked hacking
rule to enforce jsonutils usage, new occurrences of stdlib json module
usage were introduced.
This patch switches all the code to using jsonutils and adds a hacking
rule to enforce the rule.
The hacking rule requires that jsonutils module does not mimic as 'json'
thru using import renames, so the code was updated not to rename the
module when doing import.
The hacking rule was shamelessly copied from the corresponding nova
review [2].
[1]: https://review.openstack.org/#/c/99760/
[2]: https://review.openstack.org/111296/
Change-Id: Ie7a5bb76445e15cde9fbf9ff3d2101a014637b37
jsonutils have several benefits in comparison to pure json
implementation, like enabling C boosted encoders and decoders for
Python2.6 by using simplejson when available.
Change-Id: I24d0cd442e8d9d89fac50e43fc97f7bb4a293c3d
Closes-Bug: 1329496
The policy engine is currently being called for every attribute
of every resource to be returned by a list response. This is
harming the API performance; moreover such a high number of checks
is also unnecessary.
This patch therefore slightly changes the API logic so that list
response first determine the list of attributes which should be
returned querying the policy engine and then use this list for
all resource items to be returned.
To this aim a few methods in base.py needed to be refactored.
This patch also removes the routine check_if_exists from policy.py
and the related PolicyNotFound exception.
Finally, this patch also removes unnecessary admin_or_owner rules
when applied to attributes. This kind of rule indeed has no effect
anyway because of Neutron's ownership checks. The rules were removed
because this change won't allow anymore for having attribute-level
policies whose evaluation result depends on the resource value.
Implements blueprint faster-list-responses
Change-Id: I21b8273add5d5984f512ad94af5a99cf0b0a5d93
The tests that inherit from BaseTestCase don't need to stop their
patches, since this is already done in the base class
Change-Id: Ibb1183e521686d6e948046997b32f4044d91d9e7
Closes-bug: #1305656
This patch changes the policy engine behaviour and the API base
controller in order to ensure policy.init is invoked only once
for each API request.
This will avoid issues arising from policy file updates during
API processing and speed up response generation for list operations,
by about 5%.
This patch also removes an obsolete TODO comment.
Change-Id: I108ebd26fccdea19cb00959f70d87c3bc1587df9
Closes-Bug: 1302611
to keep Python 3.x compatibility, use six.StringIO/BytesIO to
replace StringIO.StringIO
StringIO works for unicode
BytesIO works for bytes
Change-Id: I3892098e31d8d6984d58136110aae653dc4047ab
Closes-Bug: #1280100
Updated policy for firewall_policy and firewall_rule to allow sharing
among tenants. Added a new firewall sharing rule to enable this.
Change-Id: I5d4d9f94fb3abffe4d1b03c46fd5b13a8a4a4f09
Fixes: bug #1217103
Part 2 of blueprint l3-ext-gw-modes
This patch extends the logic for building policy rule matches in order to
include sub-attributes as well. This logic will be leveraged by the
ext-gw-mode api extension.
Change-Id: I7f46a395597b71bb1c5110aa4e792a04a5010d4c
This change renames everything to Neutron while providing backwards
compatible adjustments for Grizzly configuration files.
implements blueprint: remove-use-of-quantum
Change-Id: Ie7d07ba7c89857e13d4ddc8f0e9b68de020a3d19
If the invocation of f bombs out, the policy check fails (i.e. returns
False), however it does not log the root cause, which makes very
difficult to understand why this is happening.
Fixes bug #1191948
Change-Id: Ic40053f3965b71199baf9fe3902e8ffc9745076f
Bug 1179745
This patch introduces a new type of check whose aim is to fetch
the parent resource's owner only when a rule that explicitly needs
it needs to be checked.
Change-Id: I1ff429eb3f92b35bcb9b4c4e01b65f8c0a595f48
Blueprint make-authz-orthogonal
Patch #4 for this blueprint.
With this change, if policies starting with 'extension' are still
present in policy.json, a deprecation warning will be emitted, and
the policy will be translated in the corresponding, new-style,
policy(ies).
Change-Id: Iccf0f36cc2547c35c66854b8a3fdb7185b5214bd
Slawek Kaplonski
Boden R
Akihiro Motoki
Armando Migliaccio
lilintan
Ihar Hrachyshka
Gary Kotton
shihanzhang
Henry Gessau
Kevin Benton
Hirofumi Ichihara
Takashi NATSUME
Salvatore Orlando
Cyril Roelandt
Yushiro FURUKAWA
ankitagrawal
Eugene Nikanorov
Elena Ezhova
Kyle Mestery
rossella
He Yongli
Dan Florea
Mark McClain
armando-migliaccio