In case when API policies with custom roles has to be defined by the
operator and such custom role should have granted access to the
resources from all projects, like for example some kind of
"admin_reader" or "auditor" role, it was not possible to achieve so far.
The problem was that for all non-admin and not service users, SQL
queries were scoped to the own project only always so such "auditor"
couldn't even get data from different projects from the database.
This patch introduces new API policy rule called
`context_with_global_access` and attribute `has_global_access` to the
neutron_lib.context.ContextBase class.
By default `context_with_global_access` rule is granted to nobody but it
can be defined in the neutron policy file like e.g.:
"context_with_global_access": "role:auditor"
and then `neutron_context` object for API requests made by someone with
such role granted will be able to fetch all data from the database.
This doesn't mean that anyone with such role will be able to do or get
everything through the API because there is still policy engine with
defined API policies which prevents that.
So to e.g. grant such auditor user permission to list all networks in
the cluster, additional rule would be needed in policy file and it can
looks for example like:
"get_network": "role:admin_only) or
(role:reader and project_id:%(project_id)s) or
rule:shared or rule:external or
rule:context_is_advsvc or
role:auditor"
Closes-Bug: #2115184
Change-Id: I90149b0212dafa8f469dc329cc4b45042cded38c
Signed-off-by: Slawek Kaplonski <skaplons@redhat.com>
b510f7feb8