Help with neutron policy.json
I am trying to see what kind of access control policies I can express with Nova and Neutron policy.json.
Currently, I am able to limit certain operations to an user/role. For example, I can limit who can perform the operation "update_network". Nevertheless, I'd like to express policies that enable a role to only perform "update_network" on a specific subset of networks, is this possible? I was trying something like this:
"update_network": "rule:admin_or_owner and network_id:%(27a23597-c5ad-41a6-9430-d148b379713e)s",
Having the currently list of networks:
+--------------------------------------+------------------+----------------------------------------------------------------------------+
| ID | Name | Subnets |
+--------------------------------------+------------------+----------------------------------------------------------------------------+
| 27a23597-c5ad-41a6-9430-d148b379713e | permisos_network | 8caeb208-3310-46c1-8a47-646e98602541 |
| 917ffeed-1cff-4a6e-8630-81ceaad44f7c | no_permisos | |
| bcef732a-1fab-4ed9-9291-b21aa80feaf3 | public | 6f1d191c-a832-498c-9cf1-2bcc0de803c7, 8b5c712b-31ff-40ef-8da0-250f53d02a40 |
+--------------------------------------+------------------+----------------------------------------------------------------------------+
If expressing such policies is not possible, is there another Openstack service that enables me to express such policies? I have already read the Congress documentation, but it seems to be more of the type "current network is in accordance with desired policy" and not "let's see if this API call is authorized"
Also, according to this question: https://ask.openstack.org/en/question/118600/what-are-the-defaults-roles-in-openstack-and-how-to-understand-what-a-role-can-do/ (https://ask.openstack.org/en/question...)
Nova has now a hard coded policy, is it possible to override it?
Thank you very much
Would role-based access control fit your use case?
Yes, RBAC would suit perfectly my case. I just found that the oslo.policy is the Openstack service mediating between the API/REST requests and the permissions. Reading its documentation I my rule shouldn't use the "%" operator as it seems to only be used for user attributes. Am I correct?
Short answer: Yes, you are right.
The % operator is a Python artefact. The Python code that processes policy.json directly uses those %(...) strings. The openstack client, however, doesn’t.
I tried changing the rule by removing the % and () operators, like this:
but still it didn't work, I also tried removing the (' '), changing "network_id" by "id" and using ’ ’ Is there an example?
The command I try to run is:
If i understood, this should be valid because network_id=27a23... However, I get