[RBAC] Update the subnet policies

* get_subnet: the network owner can retrieve the subnet too. * update_subnet: any project member can update the subnet. * delete_subnet: any project member can delete the subnet. Closes-Bug: #2038646 Change-Id: Iae2e3a31eb65d68dc0d3d0f9dd9fc8cf83260769
2023-10-05 19:32:32 +00:00
parent a45263e146
commit 294e1c60b4
2 changed files with 135 additions and 3 deletions
--- a/neutron/conf/policies/subnet.py
+++ b/neutron/conf/policies/subnet.py
@@ -81,7 +81,8 @@ rules = [
    policy.DocumentedRuleDefault(
        name='get_subnet',
        check_str=neutron_policy.policy_or(
-            base.ADMIN_OR_PROJECT_READER,
+            base.ADMIN_OR_NET_OWNER_MEMBER,
+            base.PROJECT_READER,
            'rule:shared'),
        scope_types=['project'],
        description='Get a subnet',
@@ -108,7 +109,9 @@ rules = [
    ),
    policy.DocumentedRuleDefault(
        name='update_subnet',
-        check_str=base.ADMIN_OR_NET_OWNER_MEMBER,
+        check_str=neutron_policy.policy_or(
+            base.ADMIN_OR_NET_OWNER_MEMBER,
+            base.PROJECT_MEMBER),
        scope_types=['project'],
        description='Update a subnet',
        operations=ACTION_PUT,
@@ -144,7 +147,9 @@ rules = [
    ),
    policy.DocumentedRuleDefault(
        name='delete_subnet',
-        check_str=base.ADMIN_OR_NET_OWNER_MEMBER,
+        check_str=neutron_policy.policy_or(
+            base.ADMIN_OR_NET_OWNER_MEMBER,
+            base.PROJECT_MEMBER),
        scope_types=['project'],
        description='Delete a subnet',
        operations=ACTION_DELETE,
--- a/neutron/tests/unit/conf/policies/test_subnet.py
+++ b/neutron/tests/unit/conf/policies/test_subnet.py
@@ -45,6 +45,13 @@ class SubnetAPITestCase(base.PolicyBaseTestCase):
            'tenant_id': self.project_id,
            'network_id': self.network['id'],
            'ext_parent_network_id': self.network['id']}
+        # This network belongs to "project_id", but not the network that
+        # belongs to "alt_project_id".
+        self.target_net_alt_target = {
+            'project_id': self.project_id,
+            'tenant_id': self.project_id,
+            'network_id': self.alt_network['id'],
+            'ext_parent_network_id': self.alt_network['id']}
        self.alt_target = {
            'project_id': self.alt_project_id,
            'tenant_id': self.alt_project_id,
@@ -72,6 +79,10 @@ class SystemAdminTests(SubnetAPITestCase):
            base_policy.InvalidScope,
            policy.enforce,
            self.context, 'create_subnet', self.target)
+        self.assertRaises(
+            base_policy.InvalidScope,
+            policy.enforce,
+            self.context, 'create_subnet', self.target_net_alt_target)
        self.assertRaises(
            base_policy.InvalidScope,
            policy.enforce,
@@ -82,6 +93,11 @@ class SystemAdminTests(SubnetAPITestCase):
            base_policy.InvalidScope,
            policy.enforce,
            self.context, 'create_subnet:segment_id', self.target)
+        self.assertRaises(
+            base_policy.InvalidScope,
+            policy.enforce,
+            self.context, 'create_subnet:segment_id',
+            self.target_net_alt_target)
        self.assertRaises(
            base_policy.InvalidScope,
            policy.enforce,
@@ -92,6 +108,11 @@ class SystemAdminTests(SubnetAPITestCase):
            base_policy.InvalidScope,
            policy.enforce,
            self.context, 'create_subnet:service_types', self.target)
+        self.assertRaises(
+            base_policy.InvalidScope,
+            policy.enforce,
+            self.context, 'create_subnet:service_types',
+            self.target_net_alt_target)
        self.assertRaises(
            base_policy.InvalidScope,
            policy.enforce,
@@ -102,6 +123,10 @@ class SystemAdminTests(SubnetAPITestCase):
            base_policy.InvalidScope,
            policy.enforce,
            self.context, 'get_subnet', self.target)
+        self.assertRaises(
+            base_policy.InvalidScope,
+            policy.enforce,
+            self.context, 'get_subnet', self.target_net_alt_target)
        self.assertRaises(
            base_policy.InvalidScope,
            policy.enforce,
@@ -112,6 +137,10 @@ class SystemAdminTests(SubnetAPITestCase):
            base_policy.InvalidScope,
            policy.enforce,
            self.context, 'get_subnet:segment_id', self.target)
+        self.assertRaises(
+            base_policy.InvalidScope,
+            policy.enforce,
+            self.context, 'get_subnet:segment_id', self.target_net_alt_target)
        self.assertRaises(
            base_policy.InvalidScope,
            policy.enforce,
@@ -122,6 +151,10 @@ class SystemAdminTests(SubnetAPITestCase):
            base_policy.InvalidScope,
            policy.enforce,
            self.context, 'update_subnet', self.target)
+        self.assertRaises(
+            base_policy.InvalidScope,
+            policy.enforce,
+            self.context, 'update_subnet', self.target_net_alt_target)
        self.assertRaises(
            base_policy.InvalidScope,
            policy.enforce,
@@ -132,6 +165,11 @@ class SystemAdminTests(SubnetAPITestCase):
            base_policy.InvalidScope,
            policy.enforce,
            self.context, 'update_subnet:segment_id', self.target)
+        self.assertRaises(
+            base_policy.InvalidScope,
+            policy.enforce,
+            self.context, 'update_subnet:segment_id',
+            self.target_net_alt_target)
        self.assertRaises(
            base_policy.InvalidScope,
            policy.enforce,
@@ -142,6 +180,11 @@ class SystemAdminTests(SubnetAPITestCase):
            base_policy.InvalidScope,
            policy.enforce,
            self.context, 'update_subnet:service_types', self.target)
+        self.assertRaises(
+            base_policy.InvalidScope,
+            policy.enforce,
+            self.context, 'update_subnet:service_types',
+            self.target_net_alt_target)
        self.assertRaises(
            base_policy.InvalidScope,
            policy.enforce,
@@ -152,6 +195,10 @@ class SystemAdminTests(SubnetAPITestCase):
            base_policy.InvalidScope,
            policy.enforce,
            self.context, 'delete_subnet', self.target)
+        self.assertRaises(
+            base_policy.InvalidScope,
+            policy.enforce,
+            self.context, 'delete_subnet', self.target_net_alt_target)
        self.assertRaises(
            base_policy.InvalidScope,
            policy.enforce,
@@ -181,6 +228,9 @@ class AdminTests(SubnetAPITestCase):
    def test_create_subnet(self):
        self.assertTrue(
            policy.enforce(self.context, 'create_subnet', self.target))
+        self.assertTrue(
+            policy.enforce(self.context, 'create_subnet',
+                           self.target_net_alt_target))
        self.assertTrue(
            policy.enforce(self.context, 'create_subnet', self.alt_target))

@@ -188,6 +238,10 @@ class AdminTests(SubnetAPITestCase):
        self.assertTrue(
            policy.enforce(
                self.context, 'create_subnet:segment_id', self.target))
+        self.assertTrue(
+            policy.enforce(
+                self.context, 'create_subnet:segment_id',
+                self.target_net_alt_target))
        self.assertTrue(
            policy.enforce(
                self.context, 'create_subnet:segment_id', self.alt_target))
@@ -196,6 +250,10 @@ class AdminTests(SubnetAPITestCase):
        self.assertTrue(
            policy.enforce(
                self.context, 'create_subnet:service_types', self.target))
+        self.assertTrue(
+            policy.enforce(
+                self.context, 'create_subnet:service_types',
+                self.target_net_alt_target))
        self.assertTrue(
            policy.enforce(
                self.context, 'create_subnet:service_types', self.alt_target))
@@ -203,12 +261,18 @@ class AdminTests(SubnetAPITestCase):
    def test_get_subnet(self):
        self.assertTrue(
            policy.enforce(self.context, 'get_subnet', self.target))
+        self.assertTrue(
+            policy.enforce(self.context, 'get_subnet',
+                           self.target_net_alt_target))
        self.assertTrue(
            policy.enforce(self.context, 'get_subnet', self.alt_target))

    def test_get_subnet_segment_id(self):
        self.assertTrue(
            policy.enforce(self.context, 'get_subnet:segment_id', self.target))
+        self.assertTrue(
+            policy.enforce(self.context, 'get_subnet:segment_id',
+                           self.target_net_alt_target))
        self.assertTrue(
            policy.enforce(
                self.context, 'get_subnet:segment_id', self.alt_target))
@@ -216,6 +280,9 @@ class AdminTests(SubnetAPITestCase):
    def test_update_subnet(self):
        self.assertTrue(
            policy.enforce(self.context, 'update_subnet', self.target))
+        self.assertTrue(
+            policy.enforce(self.context, 'update_subnet',
+                           self.target_net_alt_target))
        self.assertTrue(
            policy.enforce(self.context, 'update_subnet', self.alt_target))

@@ -223,6 +290,10 @@ class AdminTests(SubnetAPITestCase):
        self.assertTrue(
            policy.enforce(
                self.context, 'update_subnet:segment_id', self.target))
+        self.assertTrue(
+            policy.enforce(
+                self.context, 'update_subnet:segment_id',
+                self.target_net_alt_target))
        self.assertTrue(
            policy.enforce(
                self.context, 'update_subnet:segment_id', self.alt_target))
@@ -231,6 +302,10 @@ class AdminTests(SubnetAPITestCase):
        self.assertTrue(
            policy.enforce(
                self.context, 'update_subnet:service_types', self.target))
+        self.assertTrue(
+            policy.enforce(
+                self.context, 'update_subnet:service_types',
+                self.target_net_alt_target))
        self.assertTrue(
            policy.enforce(
                self.context, 'update_subnet:service_types', self.alt_target))
@@ -238,6 +313,9 @@ class AdminTests(SubnetAPITestCase):
    def test_delete_subnet(self):
        self.assertTrue(
            policy.enforce(self.context, 'delete_subnet', self.target))
+        self.assertTrue(
+            policy.enforce(self.context, 'delete_subnet',
+                           self.target_net_alt_target))
        self.assertTrue(
            policy.enforce(self.context, 'delete_subnet', self.alt_target))

@@ -251,6 +329,10 @@ class ProjectMemberTests(AdminTests):
    def test_create_subnet(self):
        self.assertTrue(
            policy.enforce(self.context, 'create_subnet', self.target))
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce,
+            self.context, 'create_subnet', self.target_net_alt_target)
        self.assertRaises(
            base_policy.PolicyNotAuthorized,
            policy.enforce,
@@ -261,6 +343,11 @@ class ProjectMemberTests(AdminTests):
            base_policy.PolicyNotAuthorized,
            policy.enforce,
            self.context, 'create_subnet:segment_id', self.target)
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce,
+            self.context, 'create_subnet:segment_id',
+            self.target_net_alt_target)
        self.assertRaises(
            base_policy.PolicyNotAuthorized,
            policy.enforce,
@@ -271,6 +358,11 @@ class ProjectMemberTests(AdminTests):
            base_policy.PolicyNotAuthorized,
            policy.enforce,
            self.context, 'create_subnet:service_types', self.target)
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce,
+            self.context, 'create_subnet:service_types',
+            self.target_net_alt_target)
        self.assertRaises(
            base_policy.PolicyNotAuthorized,
            policy.enforce,
@@ -279,6 +371,9 @@ class ProjectMemberTests(AdminTests):
    def test_get_subnet(self):
        self.assertTrue(
            policy.enforce(self.context, 'get_subnet', self.target))
+        self.assertTrue(
+            policy.enforce(self.context, 'get_subnet',
+                           self.target_net_alt_target))
        self.assertRaises(
            base_policy.PolicyNotAuthorized,
            policy.enforce,
@@ -289,6 +384,10 @@ class ProjectMemberTests(AdminTests):
            base_policy.PolicyNotAuthorized,
            policy.enforce,
            self.context, 'get_subnet:segment_id', self.target)
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce,
+            self.context, 'get_subnet:segment_id', self.target_net_alt_target)
        self.assertRaises(
            base_policy.PolicyNotAuthorized,
            policy.enforce,
@@ -297,6 +396,9 @@ class ProjectMemberTests(AdminTests):
    def test_update_subnet(self):
        self.assertTrue(
            policy.enforce(self.context, 'update_subnet', self.target))
+        self.assertTrue(
+            policy.enforce(self.context, 'update_subnet',
+                           self.target_net_alt_target))
        self.assertRaises(
            base_policy.PolicyNotAuthorized,
            policy.enforce,
@@ -307,6 +409,11 @@ class ProjectMemberTests(AdminTests):
            base_policy.PolicyNotAuthorized,
            policy.enforce,
            self.context, 'update_subnet:segment_id', self.target)
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce,
+            self.context, 'update_subnet:segment_id',
+            self.target_net_alt_target)
        self.assertRaises(
            base_policy.PolicyNotAuthorized,
            policy.enforce,
@@ -317,6 +424,11 @@ class ProjectMemberTests(AdminTests):
            base_policy.PolicyNotAuthorized,
            policy.enforce,
            self.context, 'update_subnet:service_types', self.target)
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce,
+            self.context, 'update_subnet:service_types',
+            self.target_net_alt_target)
        self.assertRaises(
            base_policy.PolicyNotAuthorized,
            policy.enforce,
@@ -325,6 +437,9 @@ class ProjectMemberTests(AdminTests):
    def test_delete_subnet(self):
        self.assertTrue(
            policy.enforce(self.context, 'delete_subnet', self.target))
+        self.assertTrue(
+            policy.enforce(self.context, 'delete_subnet',
+                           self.target_net_alt_target))
        self.assertRaises(
            base_policy.PolicyNotAuthorized,
            policy.enforce,
@@ -342,6 +457,10 @@ class ProjectReaderTests(ProjectMemberTests):
            base_policy.PolicyNotAuthorized,
            policy.enforce,
            self.context, 'create_subnet', self.target)
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce,
+            self.context, 'create_subnet', self.target_net_alt_target)
        self.assertRaises(
            base_policy.PolicyNotAuthorized,
            policy.enforce,
@@ -352,6 +471,10 @@ class ProjectReaderTests(ProjectMemberTests):
            base_policy.PolicyNotAuthorized,
            policy.enforce,
            self.context, 'update_subnet', self.target)
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce,
+            self.context, 'update_subnet', self.target_net_alt_target)
        self.assertRaises(
            base_policy.PolicyNotAuthorized,
            policy.enforce,
@@ -362,6 +485,10 @@ class ProjectReaderTests(ProjectMemberTests):
            base_policy.PolicyNotAuthorized,
            policy.enforce,
            self.context, 'delete_subnet', self.target)
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce,
+            self.context, 'delete_subnet', self.target_net_alt_target)
        self.assertRaises(
            base_policy.PolicyNotAuthorized,
            policy.enforce,