[Secure RBAC] Add shared_security_groups rule

For shared security groups we need to have additional rule which will allow to list shared SGs for projects which aren't owners of the SG. Closes-bug: #2004015 Change-Id: Ic2a0e390f5baed6772bfeb5306052acaff657923
2023-02-01 11:48:34 +01:00
parent 06e2e22d31
commit 5d505e7b7c
1 changed files with 9 additions and 1 deletions
--- a/neutron/conf/policies/security_group.py
+++ b/neutron/conf/policies/security_group.py
@@ -42,6 +42,11 @@ rules = [
            RULE_ADMIN_OR_SG_OWNER),
        description=('Rule for resource owner, '
                     'admin or security group owner access')),
+    policy.RuleDefault(
+        name='shared_security_group',
+        check_str='field:security_groups:shared=True',
+        description='Definition of a shared security group'
+    ),
    # TODO(amotoki): admin_or_owner is the right rule?
    # Does an empty string make more sense for create_security_group?
    policy.DocumentedRuleDefault(
@@ -63,7 +68,10 @@ rules = [
    ),
    policy.DocumentedRuleDefault(
        name='get_security_group',
-        check_str=base.ADMIN_OR_PROJECT_READER,
+        check_str=base.policy_or(
+            base.ADMIN_OR_PROJECT_READER,
+            'rule:shared_security_group'
+        ),
        scope_types=['project'],
        description='Get a security group',
        operations=[