41fe927c80
This patchset adds missing policy actions to the policy.json file for several reasons: 1) It signals to operators all the policy actions that are enforced in the system. With the governance spec [0] urging projects toward policy in code documentation, it makes sense to document all policy actions in the policy.json as Neutron doesn't have policy in code. 2) It is consistent with Neutron's policy enforcement documentation [1]: "For each attribute which has been explicitly specified in the request create a rule matching policy names in the form <operation>_<resource>:<attribute> rule" So it makes sense to capture each policy that is enforced, including all those with these special attributes. 3) Why include "update_router:external_gateway_info" but not "create_router:external_gateway_info"? This is inconsistent. 4) It makes it difficult to validate Neutron's policy via Patrole if the policies aren't contained in the policy.json -- how else is it possible to determine which policies to expect if they aren't documented anywhere? [0] https://governance.openstack.org/tc/goals/queens/policy-in-code.html [1] https://docs.openstack.org/neutron/pike/contributor/internals/policy.html#authorization-workflow Change-Id: I40f84134f0b56cfd574dfd69e5ebbf6a3fc2b3df |
||
---|---|---|
.. | ||
neutron | ||
oslo-config-generator | ||
api-paste.ini | ||
policy.json | ||
README.txt | ||
rootwrap.conf |
To generate the sample neutron configuration files, run the following command from the top level of the neutron directory: tox -e genconfig If a 'tox' environment is unavailable, then you can run the following script instead to generate the configuration files: ./tools/generate_config_file_samples.sh