From de69a5537830ee685ad8c3c7809d4410c9488903 Mon Sep 17 00:00:00 2001
From: Slawek Kaplonski <skaplons@redhat.com>
Date: Tue, 6 Apr 2021 15:35:39 +0200
Subject: [PATCH] Fix new API policies for RBAC

During the migration to the new policies we set policy for
{create,update}_rbac_policy:target_tenant was allowed for all admin
users. That means that PROJECT_ADMIN was able to e.g. create RBAC policy
for the object which belongs to different tenant.
This patch fixes it as PROJECT_ADMIN should be only able to create or
update RBAC for own objects.

Related-blueprint: bp/secure-rbac-roles
Change-Id: Idd8bfd7075bb537cb8f0398a1e513e74f4ac5eef
---
 neutron/conf/policies/rbac.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/neutron/conf/policies/rbac.py b/neutron/conf/policies/rbac.py
index 568aa7890ea..4db5226a1c4 100644
--- a/neutron/conf/policies/rbac.py
+++ b/neutron/conf/policies/rbac.py
@@ -53,7 +53,7 @@ rules = [
         name='create_rbac_policy:target_tenant',
         check_str=base.policy_or(
             base.SYSTEM_ADMIN,
-            'rule:restrict_wildcard'),
+            '(not field:rbac_policy:target_tenant=*)'),
         description='Specify ``target_tenant`` when creating an RBAC policy',
         operations=[
             {
@@ -89,7 +89,7 @@ rules = [
         name='update_rbac_policy:target_tenant',
         check_str=base.policy_or(
             base.SYSTEM_ADMIN,
-            'rule:restrict_wildcard'),
+            '(not field:rbac_policy:target_tenant=*)'),
         description='Update ``target_tenant`` attribute of an RBAC policy',
         operations=[
             {