[S-RBAC] Add note about port:binding:profile field and SERVICE role

With new default API policies binding:profile attribute of the port can be only set or updated by the SERVICE user. This patch adds small note about this to the Neutron API-REF document. Related-Bug: #2052937 Change-Id: I0b2f2225e29537c9fd2de53b0945a451b9bcdde3
2024-02-19 09:08:54 +01:00 · 2024-02-19 09:08:54 +01:00 · 3aec8fdfee
commit 3aec8fdfee
parent 1fedbae833
1 changed files with 10 additions and 0 deletions
--- a/api-ref/source/v2/ports.inc
+++ b/api-ref/source/v2/ports.inc
@ -118,6 +118,16 @@ The extension defines several attributes whose names have a prefix
 ``binding:`` including ``binding:host_id``, ``binding:vnic_type``,
 ``binding:vif_type``, ``binding:vif_details``, and ``binding:profile``.

+.. warning::
+
+    When new defaults for the API policies are enabled (``enforce_new_defaults``
+    set to ``True`` in the Neutron's configuration), ``binding:profile`` can
+    be set or updated only by the user with granted ``SERVICE`` role.  In
+    case when it needs to be set by ``admin`` user e.g. for debugging
+    purpose, default API policies for ``create_port:binding:profile`` and/or
+    ``update_port:binding:profile`` needs to be overwritten in the
+    ``policy.yaml`` file.
+
 Port hints
 ==========