[Secure RBAC] Add shared_qos_policy rule

For shared QoS policies we need to have additional rule which will allow to list shared policies for projects which aren't owners of the QoS policy. Closes-bug: #2004013 Closes-bug: #2004014 Change-Id: I593896ab087e3d916b10d7d5f6b22b501060b934
2023-02-01 11:25:04 +01:00 · 2023-02-01 11:25:04 +01:00 · 221cf9497f
parent 06e2e22d31
commit 221cf9497f
1 changed files with 8 additions and 1 deletions
--- a/neutron/conf/policies/qos.py
+++ b/neutron/conf/policies/qos.py
@ -21,9 +21,16 @@ The QoS API now supports project scope and default roles.


 rules = [
+    policy.RuleDefault(
+        'shared_qos_policy',
+        'field:policies:shared=True',
+        description='Rule of shared qos policy'),
    policy.DocumentedRuleDefault(
        name='get_policy',
-        check_str=base.ADMIN_OR_PROJECT_READER,
+        check_str=base.policy_or(
+            base.ADMIN_OR_PROJECT_READER,
+            'rule:shared_qos_policy'
+        ),
        scope_types=['project'],
        description='Get QoS policies',
        operations=[