© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
demo site
(Get the code!)
I investigated that issue more and it seems that:
1. rules are visible fine when doing
curl -g -i -X GET "http://
2. rules can not be listed when doing
curl -g -i -X GET "http://
The difference between those 2 things is that in case of 1) Neutron checks if tenant who made request have access to the SG object (and that is true as SG is shared through RBAC). In case of 2) neutron is checking if tenant has access to each of the rules and it filters them out as rules aren't really shared with the tenant.
It is filtered out in https:/
Solution for that isn't easy for sure. The main problem is that policy enforcer, which is filtering out rules from list isn't really aware about RBAC mechanism which is implemented one level above, in the Neutron DB really. So I think we would need to have some extra db queries to check for each SG rule if its SG is actually shared with the project who made request or not. That may have impact on the API performance and the question is: do we want to fix it that way, or maybe document that limitation while listing SG rules would be enough?