x/group-based-policy
Code Issues Proposed changes

Fix policy.json

Browse Source 
The order of the admin_owner_or_network_owner alias in the
policy.json file can trigger DB queries for the network
resource in order to complete the policy checks, even in
cases where those checw aren't needed. This changes the
order of the policy rule to ensure that checks for the
tenant ID owner are made before looking at the tenant ID
of the network.

Change-Id: Ic3a7c99ff69c652bd1df4d43a98f298da876b4ba
This commit is contained in:
Thomas Bachman 2023-08-30 21:59:29 +00:00
parent ceb0c8c0bb
commit 9577735242
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
etc/policy.json
View File

@ -4,7 +4,7 @@
"admin_or_owner": "rule:context_is_admin or rule:owner",
"context_is_advsvc": "role:advsvc",
"admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
"admin_owner_or_network_owner": "rule:admin_or_network_owner or rule:owner",
"admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner",
"admin_only": "rule:context_is_admin",
"regular_user": "",
"shared": "field:networks:shared=True",