openstack/neutron
Code Issues Proposed changes

Merge "Add new policy rule SG_OWNER"

Browse Source
This commit is contained in:
Zuul 2021-03-09 18:47:14 +00:00 committed by Gerrit Code Review
commit 0a89c3df94
2 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
neutron/conf/policies/base.py
View File

@ -81,6 +81,7 @@ SYSTEM_OR_PROJECT_READER = (
# Additional rules needed in Neutron # Additional rules needed in Neutron
RULE_NET_OWNER = 'rule:network_owner' RULE_NET_OWNER = 'rule:network_owner'
RULE_PARENT_OWNER = 'rule:ext_parent_owner' RULE_PARENT_OWNER = 'rule:ext_parent_owner'
RULE_SG_OWNER = 'rule:sg_owner'
rules = [ rules = [
policy.RuleDefault( policy.RuleDefault(
@ -141,6 +142,10 @@ rules = [
'ext_parent_owner', 'ext_parent_owner',
'tenant_id:%(ext_parent:tenant_id)s', 'tenant_id:%(ext_parent:tenant_id)s',
description='Rule for common parent owner check'), description='Rule for common parent owner check'),
policy.RuleDefault(
name='sg_owner',
check_str='tenant_id:%(security_group:tenant_id)s',
description='Rule for security group owner access'),
] ]

2
neutron/conf/policies/security_group.py
View File

@ -140,7 +140,7 @@ rules = [
name='get_security_group_rule', name='get_security_group_rule',
check_str=base.policy_or( check_str=base.policy_or(
base.SYSTEM_OR_PROJECT_READER, base.SYSTEM_OR_PROJECT_READER,
RULE_ADMIN_OWNER_OR_SG_OWNER), base.RULE_SG_OWNER),
scope_types=['system', 'project'], scope_types=['system', 'project'],
description='Get a security group rule', description='Get a security group rule',
operations=[ operations=[