Open Stack

Hello,

I am trying to understand why is there a relationship between the networks' admin_state_up and router:external properties.  How this was found is that I added to the etc/policy.json file the rule "update_networks:router:external": "admin_only".  After this was added, I as the user of a tenant tried to do "quantum net-update <tenant-private-network-uuid> --admin_state_up false" .  It errors out with "The resource could not be found" error.  Adding some debugging statements in the enforcement module revealed Quantum is attempting to check the rules "update_network" and "update_network:router:external".

Because I added the rule  "update_networks:router:external": "admin_only" to policy.json, the request was rejected.   So there is a dependency of admin_state_up with the  "router:external" property.

I am unable to find in the code the reason why a command to change admin_state_up resulted in "router:external" property.  Does anyone know how this relationship is established?


"git diff 2013.1etc/policy.json" is:

diff --git a/etc/policy.json b/etc/policy.json
index f2c304b..80c2884 100644
--- a/etc/policy.json
+++ b/etc/policy.json
@@ -33,6 +33,7 @@
     "create_network:shared": "rule:admin_only",
     "create_network:router:external": "rule:admin_only",
     "update_network": "rule:admin_or_owner",
+    "update_network:router:external": "rule:admin_only",
     "delete_network": "rule:admin_or_owner",

     "create_port": "",
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130415/4e213746/attachment.html>