Neutron Policy

Neutron has a policy enforment feature, which controlls(allow,deny, filterout) the API Request/Response mechanism.

Policy file is configured in neutron.conf file,

policy_file = /etc/neutron/policy.json

The default policy file is /etc/neutron/policy.json.

Policy check is performed by the Neutron during the following phases,

1. Request Authorization
   1. Receives the API Requests and validates the authroization to allow or deny the API request.
   2. For Example: DELETE_PORT policy is configured as its allowed by only ADMIN. If the tenant member will be rejected to delete the ports , even if they created the same port.
2. Response Filtering
   1. To be updated

Exploring Policy.json file

Each line is defined as below,

<target> : <rule>

Here "rule" defines the authroziation.

SIMPLE RULE

Example:

"create_network" : "@"

This policy allows create_network API to be used all the users(roles).

USER DEFINED RULE/ CUSTOM RULES

The other type of rules are below;

<role>:<role name>, a test whether the API credentials contain this role.

<rule>:<rule name>, the definition of an alias.

Example1:

"create_network": "role:admin"

Example2:

"context_is_admin": "role:admin or user_name:neutron"

"admin_only": "rule:context_is_admin"

"create_network:router:external": "rule:admin_only"

In this example, alias is created and applied to the action.

ACTION:

Some sample actions are create_network, deletenetwork, create_port etc. Each Neutron API is referred by the Action.

References:

https://docs.openstack.org/developer/neutron/devref/policy.html

https://docs.openstack.org/kilo/config-reference/content/policy-json-file.html