openstack/neutron
Code Issues Proposed changes

[Secure RBAC] Add shared_security_groups rule

Browse Source 
For shared security groups we need to have additional rule which will allow
to list shared SGs for projects which aren't owners of the SG.

Closes-bug: #2004015
Change-Id: Ic2a0e390f5baed6772bfeb5306052acaff657923
This commit is contained in:
Slawek Kaplonski
2023-02-01 11:48:34 +01:00
parent 06e2e22d31
commit 5d505e7b7c
1 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
neutron/conf/policies/security_group.py
View File

@@ -42,6 +42,11 @@ rules = [
RULE_ADMIN_OR_SG_OWNER), RULE_ADMIN_OR_SG_OWNER),
description=('Rule for resource owner, ' description=('Rule for resource owner, '
'admin or security group owner access')), 'admin or security group owner access')),
policy.RuleDefault(
name='shared_security_group',
check_str='field:security_groups:shared=True',
description='Definition of a shared security group'
),
# TODO(amotoki): admin_or_owner is the right rule? # TODO(amotoki): admin_or_owner is the right rule?
# Does an empty string make more sense for create_security_group? # Does an empty string make more sense for create_security_group?
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
@@ -63,7 +68,10 @@ rules = [
), ),
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name='get_security_group', name='get_security_group',
check_str=base.ADMIN_OR_PROJECT_READER, check_str=base.policy_or(
base.ADMIN_OR_PROJECT_READER,
'rule:shared_security_group'
),
scope_types=['project'], scope_types=['project'],
description='Get a security group', description='Get a security group',
operations=[ operations=[