Neutron Policy Engine issues with PUT/Update
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Confirmed
|
Medium
|
Unassigned |
Bug Description
We are using a policy that looks like that:
"network_
"update_
Idea is to protect special ports (by device_owner) from being updated but still allow users to create custom ports.
Causes following error in the policy engine if a client tries to update fixed-ips of a port:
DEBUG neutron.policy [] Unable to find requested field: device_owner in target: {
'id': 'abc',
'network_id': 'abc',
'tenant_id': 'abc',
'status': 'ACTIVE',
'project_id': 'abc',
'fixed_ips': [{'subnet_id': 'abc', 'ip_address': '10.180.128.89'}],
'attributes_
} neutron/
When using PUT/Update, the policy engine is populated with data from the database, but only if the conditions in the policy_
But this is not the case for all other operations like GET, DELETE and CREATE. This seems to me like unintended behaviour, shouldn't all attributes that annoted by "enforce_policy" be pulled into the target dict?
From doc/source/
* If an attribute of a resource might be subject to authorization checks
then the ``enforce_policy`` attribute should be set to ``True``...
Changed in neutron: | |
importance: | Undecided → Wishlist |
status: | New → Confirmed |
importance: | Wishlist → Medium |
tags: | added: api |