Public bug reported: Certain API behaviors are regulated by oslo.policy policy at a granular level, but also have default values. If a user supplies API options that match the defaults, bypass the policy check since the result will be the same regardless.
A good example of this is creating a port with the the boolean "enable_port_security" value, which in a typical deployment defaults to 'True'. The "create_port:port_security_enabled" policy governs this behavior, and is typically set to "rule:context_is_advsvc or rule:admin_or_network_owner" which means a non-admin user that is not the network owner would fail. Such a user should be able to specify port_security=True when creating a port and not have that operation fail the policy check. Implementation -------------- The policy check occurs almost immediately upon request reciept. Check for calls to enforce() in neutron/api/v2/base.py [1]. A data structure would need to be created from the policy-processing code that matches policy names with their respective default values. Then the enforce() call would be made contingent on divergence from the default. [1] example: https://opendev.org/openstack/neutron/src/branch/master/neutron/api/v2/base.py#L468 ** Affects: neutron Importance: Undecided Status: New ** Tags: rfe -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1821208 Title: [RFE] Only enforce policy when selected option does not match default Status in neutron: New Bug description: Certain API behaviors are regulated by oslo.policy policy at a granular level, but also have default values. If a user supplies API options that match the defaults, bypass the policy check since the result will be the same regardless. A good example of this is creating a port with the the boolean "enable_port_security" value, which in a typical deployment defaults to 'True'. The "create_port:port_security_enabled" policy governs this behavior, and is typically set to "rule:context_is_advsvc or rule:admin_or_network_owner" which means a non-admin user that is not the network owner would fail. Such a user should be able to specify port_security=True when creating a port and not have that operation fail the policy check. Implementation -------------- The policy check occurs almost immediately upon request reciept. Check for calls to enforce() in neutron/api/v2/base.py [1]. A data structure would need to be created from the policy-processing code that matches policy names with their respective default values. Then the enforce() call would be made contingent on divergence from the default. [1] example: https://opendev.org/openstack/neutron/src/branch/master/neutron/api/v2/base.py#L468 To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1821208/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
