Open Stack

Given that Salvatore and Sumit were both concerned about the plugins
doing the authorization for provider network extended attributes (see
patch set 5 of https://review.openstack.org/#/c/9069/), I've been
working on a very simple mechanism to move those policy checks into the
core. This mechanism can be used for core attributes as well as extended
attributes that require specific authorization to be set or viewed.

The resource attributes map (see quantum/api/v2/attributes.py) currently
has boolean properties called allow_post, allow_put, and is_visible that
control whether an attribute can be set via create, set via update, or
viewed, respectively. My proposed approach is that each of these three
properties can still be a boolean, but if it is instead a string, that
string is passed to the policy.check function as the name of an action,
and the result of the check is used as the boolean would have been used.

Please let me know ASAP whether or not you feel this approach is
acceptable, or if you've got any questions or better (simple) ideas. I
hope to have it implemented and included in the next provider-network BP
patch later today.

Thanks,

-Bob