From 15fee2f573c330e4e533ff3841cb008afaba299f Mon Sep 17 00:00:00 2001
From: Slawek Kaplonski <skaplons@redhat.com>
Date: Thu, 1 Apr 2021 17:00:59 +0200
Subject: [PATCH] Fix API policy rules for new personas

During migration to the new personas in the API policies, we made few
mistakes and allowed creation of some resources just for PROJECT_MEMBER
role. It should also be possible for the SYSTEM_ADMIN persona and that
patch fixes it by adding SYSTEM_ADMIN persona to the default rules where
it was missing.

Related-blueprint: bp/secure-rbac-roles
Change-Id: I9f8a9f0ae24683458aa3b5f8e49c6f111ccf815a
(cherry picked from commit cabf19a984a575d14cc4cde0312807e859765aa8)
---
 neutron/conf/policies/rbac.py       | 2 +-
 neutron/conf/policies/router.py     | 2 +-
 neutron/conf/policies/subnetpool.py | 2 +-
 neutron/conf/policies/trunk.py      | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/neutron/conf/policies/rbac.py b/neutron/conf/policies/rbac.py
index a6de6790cc5..568aa7890ea 100644
--- a/neutron/conf/policies/rbac.py
+++ b/neutron/conf/policies/rbac.py
@@ -34,7 +34,7 @@ rules = [
 
     policy.DocumentedRuleDefault(
         name='create_rbac_policy',
-        check_str=base.PROJECT_MEMBER,
+        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
         scope_types=['system', 'project'],
         description='Create an RBAC policy',
         operations=[
diff --git a/neutron/conf/policies/router.py b/neutron/conf/policies/router.py
index c7347642c70..88c33e94d9c 100644
--- a/neutron/conf/policies/router.py
+++ b/neutron/conf/policies/router.py
@@ -39,7 +39,7 @@ ACTION_GET = [
 rules = [
     policy.DocumentedRuleDefault(
         name='create_router',
-        check_str=base.PROJECT_MEMBER,
+        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
         scope_types=['project'],
         description='Create a router',
         operations=ACTION_POST,
diff --git a/neutron/conf/policies/subnetpool.py b/neutron/conf/policies/subnetpool.py
index bd00c08d460..0605d10432e 100644
--- a/neutron/conf/policies/subnetpool.py
+++ b/neutron/conf/policies/subnetpool.py
@@ -33,7 +33,7 @@ rules = [
     ),
     policy.DocumentedRuleDefault(
         name='create_subnetpool',
-        check_str=base.PROJECT_MEMBER,
+        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
         scope_types=['project', 'system'],
         description='Create a subnetpool',
         operations=[
diff --git a/neutron/conf/policies/trunk.py b/neutron/conf/policies/trunk.py
index 9c7d5e72636..9caa3ffc0f8 100644
--- a/neutron/conf/policies/trunk.py
+++ b/neutron/conf/policies/trunk.py
@@ -26,7 +26,7 @@ DEPRECATED_REASON = (
 rules = [
     policy.DocumentedRuleDefault(
         name='create_trunk',
-        check_str=base.PROJECT_MEMBER,
+        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
         scope_types=['project', 'system'],
         description='Create a trunk',
         operations=[