I am currently testing kolla-ansible using the latest release. During the creation of an external/provider network ("public"), I have observed that a non-admin project ("test") can view the network and allocate IP addresses for routers, for example. I would like to restrict this behavior so that the external network is listable (openstack network list), but IP allocation is denied.

  I have experimented with RBAC rules, creating a new role ("view-only") and assigning it to a user ("user") in the "test" project. I modified the policy.yaml files in both Neutron and Horizon as outlined in the documentation (https://docs.openstack.org/kolla-ansible/latest/admin/advanced-configuration.html#openstack-policy-customisation).

  Below are the snippets from my neutron/policy.yaml and horizon/neutron_policy.yaml files created following the sample https://docs.openstack.org/neutron/2023.2/configuration/policy-sample.html

policy.yaml
get_network: "(rule:admin_only) or (role:view_only)"

get_subnet: "(rule:admin_only) or (role:view_only)"
get_port: "(rule:admin_only) or (role:view_only)"
get_router: "(rule:admin_only) or (role:view_only)"

After deploying Neutron and Horizon, I adjusted the default RBAC policy so that the "External Network" action only affects the "admin" project, not "*". While the admin can still see the public network, the test project user with the "view_only" role cannot see the "public" network. Enabling the RBAC policy for the "test" project allows the network to be visible, but it also enables the member of the project ("user") to reserve IP addresses for network components.

  I'm seeking guidance on where to find more information about policies to achieve the desired functionality. Should I redeploy all the services, or is depolying Neutron and Horizon sufficient? Am I on the right track with my policy tests, or is there a simpler way to achieve this functionality?