[neutron][policy] Admin user can do anything without the control of policy.json?
Slawek Kaplonski
skaplons at redhat.com
Mon Sep 7 09:41:09 UTC 2020
Hi,
I'm adding Akihiro to the thread as maybe he will have some more knowledge about
why it is like that in Neutron.
On Mon, Sep 07, 2020 at 07:52:54AM +0000, Zhi CZ Chang wrote:
> Hi, all
>
> I have a question about Neutron Policy.
>
> I create some neutron policies in the file /etc/neutron/policy.json, plus
> in this policy file, I don't want to anyone to create address scope and
> set " "create_address_scope": "!" ".
>
> After that, I execute the command line " openstack address scope create
> test " by the admin user and it works fine.
>
> This is not my expected.
>
> After some investigation, I find that in this pr[1], it will return True
> directly even if the admin user.
>
> Could someone tell me why the admin user can do anything without the
> control of policies? Or maybe I make some mistakes?
>
>
> Thanks
>
> 1. https://review.opendev.org/#/c/175238/11/neutron/policy.py
--
Slawek Kaplonski
Principal software engineer
Red Hat
More information about the openstack-discuss
mailing list