Custom Policy Roles

Besides the default policy roles, Neutron also supports using custom roles. Using custom roles with for example read only access to all of the resources requires to configure the policy rule which allows global access to the resources.

To grant the auditor role access to fetch all of the resources from the database, following rule should be added to the policy.yaml file:

"context_with_global_access": "role:auditor"

This will make all SQL queries made by neutron with the auditor role in the context to not be scoped by the project ID. This however don’t grant the auditor role to receive all of the resources from the Neutron API yet. To grant such permissions for example for the get_network action, following rule should be added to the policy.yaml file:

"get_network": "role:admin_only or (role:reader and project_id:%(project_id)s) or rule:shared or rule:external or rule:context_is_advsvc or role:auditor"

With those 2 rules in place, the auditor role will be able to fetch all of the networks from the Neutron API.