Browse Source

Add missing "system" scope in some of the new API policies

During the migration to the new RBAC policies we made mistakes and we
allowed some of the APIs to be available for SYSTEM users but we allowed
it only for "project" scope.
As we discussed during the PTG, policy in such case should allows to use
such API also for the "system" scope tokens.
This patch adds it where it was still missing.

Partially-Implements blueprint: secure-rbac-roles

Change-Id: Icfbd00040834b311e78138cc93e7ab86355e557c
changes/03/787703/1
Slawek Kaplonski 2 months ago
parent
commit
47038c27c5
3 changed files with 5 additions and 5 deletions
  1. +1
    -1
      neutron/conf/policies/floatingip.py
  2. +3
    -3
      neutron/conf/policies/network.py
  3. +1
    -1
      neutron/conf/policies/port.py

+ 1
- 1
neutron/conf/policies/floatingip.py View File

@ -33,7 +33,7 @@ rules = [
'path': COLLECTION_PATH,
},
],
scope_types=['project'],
scope_types=['system', 'project'],
deprecated_rule=policy.DeprecatedRule(
name='create_floatingip',
check_str=base.RULE_ANY,


+ 3
- 3
neutron/conf/policies/network.py View File

@ -46,7 +46,7 @@ rules = [
policy.DocumentedRuleDefault(
name='create_network',
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
scope_types=['system', 'project'],
description='Create a network',
operations=ACTION_POST,
deprecated_rule=policy.DeprecatedRule(
@ -94,7 +94,7 @@ rules = [
policy.DocumentedRuleDefault(
name='create_network:port_security_enabled',
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
scope_types=['system', 'project'],
description=(
'Specify ``port_security_enabled`` '
'attribute when creating a network'
@ -187,7 +187,7 @@ rules = [
policy.DocumentedRuleDefault(
name='get_network:router:external',
check_str=base.SYSTEM_OR_PROJECT_READER,
scope_types=['project'],
scope_types=['system', 'project'],
description='Get ``router:external`` attribute of a network',
operations=ACTION_GET,
deprecated_rule=policy.DeprecatedRule(


+ 1
- 1
neutron/conf/policies/port.py View File

@ -212,7 +212,7 @@ rules = [
policy.DocumentedRuleDefault(
name='create_port:binding:vnic_type',
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
scope_types=['system', 'project'],
description=(
'Specify ``binding:vnic_type`` '
'attribute when creating a port'


Loading…
Cancel
Save