Browse Source

Fix API policy rules for new personas

During migration to the new personas in the API policies, we made few
mistakes and allowed creation of some resources just for PROJECT_MEMBER
role. It should also be possible for the SYSTEM_ADMIN persona and that
patch fixes it by adding SYSTEM_ADMIN persona to the default rules where
it was missing.

Related-blueprint: bp/secure-rbac-roles
Change-Id: I9f8a9f0ae24683458aa3b5f8e49c6f111ccf815a
(cherry picked from commit cabf19a984)
changes/76/784576/2
Slawek Kaplonski 3 weeks ago
parent
commit
15fee2f573
4 changed files with 4 additions and 4 deletions
  1. +1
    -1
      neutron/conf/policies/rbac.py
  2. +1
    -1
      neutron/conf/policies/router.py
  3. +1
    -1
      neutron/conf/policies/subnetpool.py
  4. +1
    -1
      neutron/conf/policies/trunk.py

+ 1
- 1
neutron/conf/policies/rbac.py View File

@ -34,7 +34,7 @@ rules = [
policy.DocumentedRuleDefault(
name='create_rbac_policy',
check_str=base.PROJECT_MEMBER,
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
scope_types=['system', 'project'],
description='Create an RBAC policy',
operations=[


+ 1
- 1
neutron/conf/policies/router.py View File

@ -39,7 +39,7 @@ ACTION_GET = [
rules = [
policy.DocumentedRuleDefault(
name='create_router',
check_str=base.PROJECT_MEMBER,
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Create a router',
operations=ACTION_POST,


+ 1
- 1
neutron/conf/policies/subnetpool.py View File

@ -33,7 +33,7 @@ rules = [
),
policy.DocumentedRuleDefault(
name='create_subnetpool',
check_str=base.PROJECT_MEMBER,
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
scope_types=['project', 'system'],
description='Create a subnetpool',
operations=[


+ 1
- 1
neutron/conf/policies/trunk.py View File

@ -26,7 +26,7 @@ DEPRECATED_REASON = (
rules = [
policy.DocumentedRuleDefault(
name='create_trunk',
check_str=base.PROJECT_MEMBER,
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
scope_types=['project', 'system'],
description='Create a trunk',
operations=[


Loading…
Cancel
Save