162a4dd1c5
This API policy rule can be used to specify who besides admin and service role can have access to the resources from all projects. It is added to the neutron_lib.context.Context with patch [1]. This patch also adds unit tests to check basic GET network(s) calls to the core plugin to make sure that it can return from the database resources which belongs to different projects if `context.has_global_access` is set to `True`. Those unit tests are not testing API policies are policy module is "skipped" in those unit tests completely. Additionally this patch adds documentation which describes how to use this rule in the custom policy file. [1] https://review.opendev.org/c/openstack/neutron-lib/+/954054 Depends-On: https://review.opendev.org/c/openstack/neutron-lib/+/954054 Related-bug: #2115184 Change-Id: Id68170ef7ed12ddca51610d53e6ef936d84577be Signed-off-by: Slawek Kaplonski <skaplons@redhat.com>
1.2 KiB
Custom Policy Roles
Besides the default policy roles <Policy Reference>, Neutron
also supports using custom roles. Using custom roles with for example
read only access to all of the resources requires to configure the
policy rule which allows global access to the
resources.
To grant the auditor role access to fetch all of the
resources from the database, following rule should be added to the
policy.yaml file:
"context_with_global_access": "role:auditor"This will make all SQL queries made by neutron with the
auditor role in the context to not be scoped by the project
ID. This however don't grant the auditor role to receive
all of the resources from the Neutron API yet. To grant such permissions
for example for the get_network action, following rule
should be added to the policy.yaml file:
"get_network": "role:admin_only or (role:reader and project_id:%(project_id)s) or rule:shared or rule:external or rule:context_is_advsvc or role:auditor"With those 2 rules in place, the auditor role will be
able to fetch all of the networks from the Neutron API.