Policy.json has these two lines:
"create_service_profile": "rule:admin_only",
"get_service_profiles": "rule:admin_only",
However get_service_profiles can be accessed without error by non-admin user:
$ export OS_USERNAME=demo
$ openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2018-08-28T22:11:10+0000 |
| id | gAAAAABbhbpuuY6N3_jsujbYhGkotgjoVwlwynqVJ_Uot6RrvJtzqoL0vv74hJewGlx4WZB81ddK8J7hYUqltKtV4iN8VbvEvMuVIl8BPgkWHlDcJPC_SF-KYda6NMweldqkYcL65nc26n2Rzg5PhYGcCvEwIfyXLsnLCgJYcW09Se_utmqCXbM |
| project_id | 28f7717697d34265accbd0b348ee1e51 |
| user_id | 6465999184924e9d9fec2618b15ab277 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
devstack@devstack$ export MY_TOKEN=gAAAAABbhbpuuY6N3_jsujbYhGkotgjoVwlwynqVJ_Uot6RrvJtzqoL0vv74hJewGlx4WZB81ddK8J7hYUqltKtV4iN8VbvEvMuVIl8BPgkWHlDcJPC_SF-KYda6NMweldqkYcL65nc26n2Rzg5PhYGcCvEwIfyXLsnLCgJYcW09Se_utmqCXbM
devstack@devstack:/opt/stack/logs$ curl -H "X-Auth-Token: $MY_TOKEN" -X GET http://127.0.0.1:9696/v2.0/service_profiles{"service_profiles": []}
I would expect an error similar to create_service_profile because they have the same admin_only policy:
$ curl -H "X-Auth-Token: $MY_TOKEN" -X POST http://127.0.0.1:9696/v2.0/service_profiles -d '{ "service_profile": { "enabled": "true", "description": "Dummy profile", "metainfo" : "{'foo': 'bar'}"}}'
{"NeutronError": {"message": "rule:create_service_profile is disallowed by policy", "type": "PolicyNotAuthorized", "detail": ""}}
Please note, that despite not receiving an error, the non-admin user does get an empty list despite existing service_profiles:
$ export OS_USERNAME=admin
$ openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2018-08-28T22:15:06+0000 |
| id | gAAAAABbhbtaMytoBFfviejpK5m7OnlusCnp1p_gExNtsaxAbfD1egn0ljOBb93uXjyPOE6bhMj0hcvDa2CE_o9odPBQmIgZKAtOq9-_OLGUvZbq4ACZAG1_DvLYBCPsB2X8qoD2cvRxPGQKbWdnviuos-nHdtkKnfdhYt6UWBCa3gm7dcvr0EE |
| project_id | 28f7717697d34265accbd0b348ee1e51 |
| user_id | e935d2593d404a86ba0f58c5a84c8ae2 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
$ export MY_TOKEN=gAAAAABbhbtaMytoBFfviejpK5m7OnlusCnp1p_gExNtsaxAbfD1egn0ljOBb93uXjyPOE6bhMj0hcvDa2CE_o9odPBQmIgZKAtOq9-_OLGUvZbq4ACZAG1_DvLYBCPsB2X8qoD2cvRxPGQKbWdnviuos-nHdtkKnfdhYt6UWBCa3gm7dcvr0EE
$ curl -H "X-Auth-Token: $MY_TOKEN" -X GET http://127.0.0.1:9696/v2.0/service_profiles{"service_profiles": [{"id": "a4e1544b-5296-46b8-bdb6-02f9d11eef2c", "enabled": true, "driver": "", "description": "Dummy profile", "metainfo": "{foo: bar}"}]}
The issues really there (I tried in devstack, everything is on master).
What I see is however that the policy rule enforcement works in a little tricky way for GET (perhaps for other operations as well, but I checked GET).
So let's see GET /agents, which is admin_only operation by policy.json:
$ grep get_agent /etc/neutron/ policy. json
"get_agent": "rule:admin_only",
1.) Let's see as tenant=admin, user=admin:
$ echo $OS_PROJECT_NAME ;echo $OS_TENANT_NAME ;echo $OS_USERNAME
admin
admin
admin
$ export MY_TOKEN= $(openstack token issue -c id -f value)
$ curl -H "X-Auth-Token: $MY_TOKEN" -X GET http:// 127.0.0. 1:9696/ v2.0/agents openvswitch- agent". ....... },..... ]}
{"agents": [{"binary": "neutron-
2.) Let's see the same as project=demo, user=demo
$ echo $OS_PROJECT_NAME ;echo $OS_TENANT_NAME ;echo $OS_USERNAME
demo
demo
demo
$ export MY_TOKEN= $(openstack token issue -c id -f value)
$ curl -H "X-Auth-Token: $MY_TOKEN" -X GET http:// 127.0.0. 1:9696/ v2.0/agents
{"agents": []}
So the user really can't see the agents, which is allowed only for admin.
I am not sure/not qualified to tell what would be the good behaviour:
1) Give an exception to the user (like http403, and some text for it: "rule:delete_flavor is disallowed by policy....").
2) Or pretend to show something end give back an empty list, like it is now. I don't know the historical reasons, but these topics are the ones to chew by security guys.