openstack/neutron
Code Issues Proposed changes
Files
5a00650d8c44cc190f65f2e612d42bd5900c8a82
neutron/doc/source/configuration/custom_policy_roles.rst
Slawek Kaplonski 162a4dd1c5 Add default value for the "context_with_global_access" policy 
This API policy rule can be used to specify who besides admin and
service role can have access to the resources from all projects.
It is added to the neutron_lib.context.Context with patch [1].

This patch also adds unit tests to check basic GET network(s) calls to
the core plugin to make sure that it can return from the database
resources which belongs to different projects if
`context.has_global_access` is set to `True`.
Those unit tests are not testing API policies are policy module is
"skipped" in those unit tests completely.

Additionally this patch adds documentation which describes how to use
this rule in the custom policy file.

[1] https://review.opendev.org/c/openstack/neutron-lib/+/954054

Depends-On: https://review.opendev.org/c/openstack/neutron-lib/+/954054

Related-bug: #2115184

Change-Id: Id68170ef7ed12ddca51610d53e6ef936d84577be
Signed-off-by: Slawek Kaplonski <skaplons@redhat.com>
2025-07-23 16:40:25 +02:00

34 lines
1.2 KiB
ReStructuredText
Raw Blame History

.. _Custom Policy Roles:
===================
Custom Policy Roles
===================
Besides the :ref:`default policy roles <Policy Reference>`, Neutron also
supports using custom roles. Using custom roles with for example read only
access to all of the resources requires to configure the policy rule which
allows ``global access`` to the resources.
To grant the ``auditor`` role access to fetch all of the resources from the
database, following rule should be added to the ``policy.yaml`` file:
.. code-block:: yaml
"context_with_global_access": "role:auditor"
This will make all SQL queries made by neutron with the ``auditor`` role in the
context to not be scoped by the project ID.
This however don't grant the ``auditor`` role to receive all of the resources
from the Neutron API yet. To grant such permissions for example for the
``get_network`` action, following rule should be added to the ``policy.yaml``
file:
.. code-block:: yaml
"get_network": "role:admin_only or (role:reader and project_id:%(project_id)s) or rule:shared or rule:external or rule:context_is_advsvc or role:auditor"
With those 2 rules in place, the ``auditor`` role will be able to fetch all of
the networks from the Neutron API.
View Git Blame Copy Permalink