From 5d505e7b7c3d9cd6b54f24baa58ded8a07fb6290 Mon Sep 17 00:00:00 2001
From: Slawek Kaplonski <skaplons@redhat.com>
Date: Wed, 1 Feb 2023 11:48:34 +0100
Subject: [PATCH] [Secure RBAC] Add shared_security_groups rule

For shared security groups we need to have additional rule which will allow
to list shared SGs for projects which aren't owners of the SG.

Closes-bug: #2004015
Change-Id: Ic2a0e390f5baed6772bfeb5306052acaff657923
---
 neutron/conf/policies/security_group.py | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/neutron/conf/policies/security_group.py b/neutron/conf/policies/security_group.py
index 1dfd9097d24..5bd649dac82 100644
--- a/neutron/conf/policies/security_group.py
+++ b/neutron/conf/policies/security_group.py
@@ -42,6 +42,11 @@ rules = [
             RULE_ADMIN_OR_SG_OWNER),
         description=('Rule for resource owner, '
                      'admin or security group owner access')),
+    policy.RuleDefault(
+        name='shared_security_group',
+        check_str='field:security_groups:shared=True',
+        description='Definition of a shared security group'
+    ),
     # TODO(amotoki): admin_or_owner is the right rule?
     # Does an empty string make more sense for create_security_group?
     policy.DocumentedRuleDefault(
@@ -63,7 +68,10 @@ rules = [
     ),
     policy.DocumentedRuleDefault(
         name='get_security_group',
-        check_str=base.ADMIN_OR_PROJECT_READER,
+        check_str=base.policy_or(
+            base.ADMIN_OR_PROJECT_READER,
+            'rule:shared_security_group'
+        ),
         scope_types=['project'],
         description='Get a security group',
         operations=[