From 05ab8c591f487aec84b68832393cd2fdca68ef38 Mon Sep 17 00:00:00 2001
From: Slawek Kaplonski <skaplons@redhat.com>
Date: Thu, 3 Dec 2020 16:43:10 +0100
Subject: [PATCH] Implement secure RBAC for auto_allocated_topology API

This commit updates the policies for auto_allocated_topology
API to understand scope checking and account for a read-only
role.

This is part of a broader series of changes across OpenStack to
provide a consistent RBAC experience and improve security.

Partially-Implements blueprint: secure-rbac-roles

Change-Id: I109c73b7ad5f1157f40b8340723084f8c51272b2
---
 .../conf/policies/auto_allocated_topology.py  | 35 +++++++++++++------
 1 file changed, 25 insertions(+), 10 deletions(-)

diff --git a/neutron/conf/policies/auto_allocated_topology.py b/neutron/conf/policies/auto_allocated_topology.py
index d3b96ed025c..9178760d7de 100644
--- a/neutron/conf/policies/auto_allocated_topology.py
+++ b/neutron/conf/policies/auto_allocated_topology.py
@@ -17,29 +17,44 @@ from neutron.conf.policies import base
 
 RESOURCE_PATH = '/auto-allocated-topology/{project_id}'
 
+DEPRECATION_REASON = (
+    "The Auto allocated topology API now supports system scope "
+    "and default roles.")
 
 rules = [
     policy.DocumentedRuleDefault(
-        'get_auto_allocated_topology',
-        base.RULE_ADMIN_OR_OWNER,
-        "Get a project's auto-allocated topology",
-        [
+        name='get_auto_allocated_topology',
+        check_str=base.SYSTEM_OR_PROJECT_READER,
+        description="Get a project's auto-allocated topology",
+        operations=[
             {
                 'method': 'GET',
                 'path': RESOURCE_PATH,
             },
-        ]
+        ],
+        scope_types=['system', 'project'],
+        deprecated_rule=policy.DeprecatedRule(
+            name='get_auto_allocated_topology',
+            check_str=base.RULE_ADMIN_OR_OWNER),
+        deprecated_reason=DEPRECATION_REASON,
+        deprecated_since='Wallaby'
     ),
     policy.DocumentedRuleDefault(
-        'delete_auto_allocated_topology',
-        base.RULE_ADMIN_OR_OWNER,
-        "Delete a project's auto-allocated topology",
-        [
+        name='delete_auto_allocated_topology',
+        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        description="Delete a project's auto-allocated topology",
+        operations=[
             {
                 'method': 'DELETE',
                 'path': RESOURCE_PATH,
             },
-        ]
+        ],
+        scope_types=['system', 'project'],
+        deprecated_rule=policy.DeprecatedRule(
+            name='delete_auto_allocated_topology',
+            check_str=base.RULE_ADMIN_OR_OWNER),
+        deprecated_reason=DEPRECATION_REASON,
+        deprecated_since='Wallaby'
     ),
 ]