Help with neutron policy.json

asked 2019-05-02 15:33:28 -0500

Anfelmurillo gravatar image

I am trying to see what kind of access control policies I can express with Nova and Neutron policy.json.

Currently, I am able to limit certain operations to an user/role. For example, I can limit who can perform the operation "update_network". Nevertheless, I'd like to express policies that enable a role to only perform "update_network" on a specific subset of networks, is this possible? I was trying something like this: 

"update_network": "rule:admin_or_owner and network_id:%(27a23597-c5ad-41a6-9430-d148b379713e)s",

Having the currently list of networks:

+--------------------------------------+------------------+----------------------------------------------------------------------------+
| ID                                   | Name             | Subnets                                                                    |
+--------------------------------------+------------------+----------------------------------------------------------------------------+
| 27a23597-c5ad-41a6-9430-d148b379713e | permisos_network | 8caeb208-3310-46c1-8a47-646e98602541                                       |
| 917ffeed-1cff-4a6e-8630-81ceaad44f7c | no_permisos      |                                                                            |
| bcef732a-1fab-4ed9-9291-b21aa80feaf3 | public           | 6f1d191c-a832-498c-9cf1-2bcc0de803c7, 8b5c712b-31ff-40ef-8da0-250f53d02a40 |
+--------------------------------------+------------------+----------------------------------------------------------------------------+

If expressing such policies is not possible, is there another Openstack service that enables me to express such policies? I have already read the Congress documentation, but it seems to be more of the type "current network is in accordance with desired policy" and not "let's see if this API call is authorized"

Also, according to this question: https://ask.openstack.org/en/question/118600/what-are-the-defaults-roles-in-openstack-and-how-to-understand-what-a-role-can-do/ (https://ask.openstack.org/en/question...)

Nova has now a hard coded policy, is it possible to override it?

Thank you very much

edit retag flag offensive close merge delete

Comments

Would role-based access control fit your use case?

Bernd Bausch gravatar imageBernd Bausch ( 2019-05-02 17:32:33 -0500 )edit

Yes, RBAC would suit perfectly my case. I just found that the oslo.policy is the Openstack service mediating between the API/REST requests and the permissions. Reading its documentation I my rule shouldn't use the "%" operator as it seems to only be used for user attributes. Am I correct?

Anfelmurillo gravatar imageAnfelmurillo ( 2019-05-02 17:50:02 -0500 )edit
1

Short answer: Yes, you are right.

The % operator is a Python artefact. The Python code that processes policy.json directly uses those %(...) strings. The openstack client, however, doesn’t.

Bernd Bausch gravatar imageBernd Bausch ( 2019-05-02 19:57:46 -0500 )edit

I tried changing the rule by removing the % and () operators, like this:

#"update_network": "rule:admin_or_owner and network_id:'27a23597-c5ad-41a6-9430-d148b379713e' ",

but still it didn't work, I also tried removing the (' '), changing "network_id" by "id" and using ’ ’ Is there an example?

Anfelmurillo gravatar imageAnfelmurillo ( 2019-05-06 16:51:47 -0500 )edit

The command I try to run is: 

openstack network set --name perm_cambiado 27a23597-c5ad-41a6-9430-d148b379713e

If i understood, this should be valid because network_id=27a23... However, I get

HttpException: 403: Client Error for url: http://157.253.199.73:9696/v2.0/networks/27a23597-c5ad-4
Anfelmurillo gravatar imageAnfelmurillo ( 2019-05-06 16:53:45 -0500 )edit
see more comments