Merge "Add new policy rule SG_OWNER"

2021-03-09 18:47:14 +00:00 · 2021-03-09 18:47:14 +00:00 · 0a89c3df94
parent c09c4368fd 90edcf6441
commit 0a89c3df94
2 changed files with 6 additions and 1 deletions
--- a/neutron/conf/policies/base.py
+++ b/neutron/conf/policies/base.py
@ -81,6 +81,7 @@ SYSTEM_OR_PROJECT_READER = (
 # Additional rules needed in Neutron
 RULE_NET_OWNER = 'rule:network_owner'
 RULE_PARENT_OWNER = 'rule:ext_parent_owner'
+RULE_SG_OWNER = 'rule:sg_owner'

 rules = [
    policy.RuleDefault(
@ -141,6 +142,10 @@ rules = [
        'ext_parent_owner',
        'tenant_id:%(ext_parent:tenant_id)s',
        description='Rule for common parent owner check'),
+    policy.RuleDefault(
+        name='sg_owner',
+        check_str='tenant_id:%(security_group:tenant_id)s',
+        description='Rule for security group owner access'),
 ]


--- a/neutron/conf/policies/security_group.py
+++ b/neutron/conf/policies/security_group.py
@ -140,7 +140,7 @@ rules = [
        name='get_security_group_rule',
        check_str=base.policy_or(
            base.SYSTEM_OR_PROJECT_READER,
-            RULE_ADMIN_OWNER_OR_SG_OWNER),
+            base.RULE_SG_OWNER),
        scope_types=['system', 'project'],
        description='Get a security group rule',
        operations=[