In case when API policies with custom roles has to be defined by the
operator and such custom role should have granted persmission to
send project_id, other than own project_id in the request body, like for
example "network_admin" role who should be able to create networks on
behalf of every project in the cloud, it was not possible to achieve so far.
The problem was that for all non-admin and not service users, function
``neutron_lib.api.attributes._validate_privileges`` had hardcoded that
sending project_id in the request body is only allowed for admin and
service user (advsvc).
This patch introduces new API policy rule called
`context_can_set_project_id` and attribute `can_set_project_id` to the
neutron_lib.context.ContextBase class.
By default `context_can_set_project_id` rule is granted to nobody but it
can be defined in the neutron policy file like e.g.:
"context_can_set_project_id": "role:network_admin"
This doesn't mean that anyone with such role will be able to create
anything for any project because there is still policy engine with
defined API policies which prevents that.
So to e.g. grant such network_admin user permission to create networks
for every project, additional rule would be needed in policy file and it
can looks like:
"create_network": "(rule:admin_only) or
(role:member and project_id:%(project_id)s) or
role:network_admin"
Closes-Bug: #2133212
Change-Id: I45fd5d227fb6d6bf31e239e9d36f7b39f9b1257e
Signed-off-by: Slawek Kaplonski <skaplons@redhat.com>
dde9ccfee0