Hi,

I'm adding Akihiro to the thread as maybe he will have some more knowledge about why it is like that in Neutron.

On Mon, Sep 07, 2020 at 07:52:54AM +0000, Zhi CZ Chang wrote:

Hi, all

I have a question about Neutron Policy.

I create some neutron policies in the file /etc/neutron/policy.json, plus in this policy file, I don't want to anyone to create address scope and set " "create_address_scope": "!" ".

After that, I execute the command line " openstack address scope create test " by the admin user and it works fine.

This is not my expected.

After some investigation, I find that in this pr[1], it will return True directly even if the admin user.

Could someone tell me why the admin user can do anything without the control of policies? Or maybe I make some mistakes?

Thanks

1. https://review.opendev.org/#/c/175238/11/neutron/policy.py