| commit | 0170c998278da82d02ee7b8b1be05326f40e5025 | [log] [tgz] |
|---|---|---|
| author | Felipe Monteiro <felipe.monteiro@att.com> | Tue Jul 31 20:10:05 2018 -0400 |
| committer | Felipe Monteiro <felipe.monteiro@att.com> | Thu Oct 04 20:57:49 2018 +0100 |
| tree | 92d5b095620b429c9c0819cc9949170b5b5efc24 | |
| parent | 91e33c6ef17af701ed230802da6eee256bcc4884 [diff] |
docs: Add sections about context_is_admin/custom policy checks This documentation adds oslo.policy/policy related information to Patrole RBAC documentation so users understand some limitations related to current implementation of oslo.policy in OpenStack and some limitations around edge case policy testing w.r.t custom oslo.policy rulechecks. * Currently admin context policy rule is used to skip over oslo.policy authorization checks in many services -- this is important to note as this means Patrole can't properly validate admin against oslo.policy [0]. * Currently it is not possible to test policy rules that rely on generic checks/oslo.policy checks defined in services themselves like Neutron's FieldCheck [1] as Patrole has no way of importing such code in order to get these checks registered. [0] https://github.com/openstack/neutron/blob/b4b725ade9e11aff80c6193cb4acd49f2aba012d/neutron/policy.py#L374 [1] https://docs.openstack.org/neutron/pike/contributor/internals/policy.html#fieldcheck-verify-resource-attributes Change-Id: I0e375a11eb323d83b1ece1537dbd008633126eb3