From 47038c27c5ea5ac1c78a3d6382047f3cbbe466ef Mon Sep 17 00:00:00 2001 From: Slawek Kaplonski Date: Fri, 23 Apr 2021 12:59:45 +0200 Subject: [PATCH] Add missing "system" scope in some of the new API policies During the migration to the new RBAC policies we made mistakes and we allowed some of the APIs to be available for SYSTEM users but we allowed it only for "project" scope. As we discussed during the PTG, policy in such case should allows to use such API also for the "system" scope tokens. This patch adds it where it was still missing. Partially-Implements blueprint: secure-rbac-roles Change-Id: Icfbd00040834b311e78138cc93e7ab86355e557c --- neutron/conf/policies/floatingip.py | 2 +- neutron/conf/policies/network.py | 6 +++--- neutron/conf/policies/port.py | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/neutron/conf/policies/floatingip.py b/neutron/conf/policies/floatingip.py index 682f9b56d9a..a17acefbbc3 100644 --- a/neutron/conf/policies/floatingip.py +++ b/neutron/conf/policies/floatingip.py @@ -33,7 +33,7 @@ rules = [ 'path': COLLECTION_PATH, }, ], - scope_types=['project'], + scope_types=['system', 'project'], deprecated_rule=policy.DeprecatedRule( name='create_floatingip', check_str=base.RULE_ANY, diff --git a/neutron/conf/policies/network.py b/neutron/conf/policies/network.py index f6ceb4858ec..4297ba79b8c 100644 --- a/neutron/conf/policies/network.py +++ b/neutron/conf/policies/network.py @@ -46,7 +46,7 @@ rules = [ policy.DocumentedRuleDefault( name='create_network', check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['project'], + scope_types=['system', 'project'], description='Create a network', operations=ACTION_POST, deprecated_rule=policy.DeprecatedRule( @@ -94,7 +94,7 @@ rules = [ policy.DocumentedRuleDefault( name='create_network:port_security_enabled', check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['project'], + scope_types=['system', 'project'], description=( 'Specify ``port_security_enabled`` ' 'attribute when creating a network' @@ -187,7 +187,7 @@ rules = [ policy.DocumentedRuleDefault( name='get_network:router:external', check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['project'], + scope_types=['system', 'project'], description='Get ``router:external`` attribute of a network', operations=ACTION_GET, deprecated_rule=policy.DeprecatedRule( diff --git a/neutron/conf/policies/port.py b/neutron/conf/policies/port.py index 53cc4a40b1f..ceb3ad72e59 100644 --- a/neutron/conf/policies/port.py +++ b/neutron/conf/policies/port.py @@ -212,7 +212,7 @@ rules = [ policy.DocumentedRuleDefault( name='create_port:binding:vnic_type', check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['project'], + scope_types=['system', 'project'], description=( 'Specify ``binding:vnic_type`` ' 'attribute when creating a port'